23542300x8000000000000000320271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.591{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A621B8FAD832764B794B8E91043F993,SHA256=CA62C8E5D89362086534735B3AC31C9FB599BDA52534E770D2AA158D64F50BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.410{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7023EAC74833A625AD1FF676654E00E1,SHA256=7F7702B9A401BCBE13BE0B60F432BDCCCBF33CBA05F6B0BFFA037951AAE6EFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.008{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.238{45AAC21C-B353-63D3-A903-00000000BC02}60483292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.062{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.014{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49E038AC08E30C91BED56E8D4CE64EDA,SHA256=D9CF0DD7C6BF58C748AC98C7B30FBF0AD19F46182F032A12A6A7F2D67A522CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:48.691{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4C4F082969EAD567A2D61BAFB31615,SHA256=3400367DAE731A6AB70E62A4676F25BD706C4C6AC78D8363BFA0EC977BC40BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:44.707{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.501{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B987C5074B18BB08197DCC4C8C3FA7,SHA256=750174A362ED86C94FCAA64F39778D3A745A57B47685FD341A11F164B529A4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.080{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28DEA663624D00EA97EE6E1820AFA363,SHA256=B6C036D089F2F489341C2D28819A1A3F2345CACC7C51C028B4A1F86E911F1BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:49.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18E65A5359D32DA150C7B1F1E093D7D,SHA256=0150794E3C51A7BC1EF13C4D2E8BC1772C2668DF54D3553CA57D2E9F811A7A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.922{45AAC21C-B355-63D3-AB03-00000000BC02}42125980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.720{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51C12ABE99C8E1D12ECF2650E195465,SHA256=046E99F748FE0399CC2839429093883ACA7EFFF31F4B8BF055558D4F148F2435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:46.294{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50921-false10.0.1.12-8000- 10341000x8000000000000000446597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.380{45AAC21C-B355-63D3-AA03-00000000BC02}24284872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.190{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:50.990{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45B7EF8698BF101EDDF9BBF548307C,SHA256=41E6E195FAA5CD48DB1B83D6A9C406F2B84A19B801BF8CCBD0F42A57176B7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.676{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544352C22D8C5ACD396C58D4AA1AF4A5,SHA256=AD57D1425138AA3C4C69DAF113FB1F1147B714AC033AD811FCC928AAB7E94D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.558{45AAC21C-B356-63D3-AC03-00000000BC02}26242476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.348{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021F65E070621DF26671610B5746422A,SHA256=1A0C27892C4D8B5523844ADE7C7DC77A145F593F1B5D50FF8BD2DA4273CB0131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.765{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.887{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA218BC0F77EA73D2FED573FA777FB77,SHA256=0AE3EB12AD8C58A7319D078E062A28AFDB8601DD77B00DE1507C029B2DF97A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.871{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE60FEBB0F67C1FD440190B8379B0AF,SHA256=045AB78164686D9184CA170FFA8E92B27E759CE2E37CC675906F12B4A40AE0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:52.189{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C35B21B785C3FAE91C1C74F82C69D8,SHA256=0CE5A22F6A5D713A390663FD2E144CB83944578634E629700EEA71AB12AFF4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:53.953{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9A8C183C267EB3A824BAED154BF0F2,SHA256=81150A142DD4D263210E3F9CA2FB07517DD5C650F8D9DABA6F043B73D286A11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.932{72106695-B359-63D3-9303-00000000BD02}54366036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.267{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AF59E0EFC33F1405B067824FFC6CC7,SHA256=9392D22C9E2A676A28D1CB98D1167EDF680DEB48C5C249784F7AB19BB1F63345,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:51.299{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50922-false10.0.1.12-8000- 10341000x8000000000000000320305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.813{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.797{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2288417BB9988ECE2255FD1A9E8FD5,SHA256=9DD96A86AD2DCF0ED036EBA1D6042DC442980C40AABD904AF152FA1385E859C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.578{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=72A1A06454ECCBA4A9F8B6FFA072B9B1,SHA256=0D4B0B64C04D9B7FABA8BE3D42FE3DDF20F3F9C392A05DC5A856F25CB5BD8F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.356{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A344CE91AC907E2DF781E2102B1FF895,SHA256=16417B8417B585AAD35985AB3901FABA405DB9DB7A6923473843075A5A2A0EC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.844{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.139{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.953{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.515{72106695-B35B-63D3-9603-00000000BD02}56885412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.456{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4363C020AA16C43286C8B2FA7EB1A58,SHA256=AEE286FAE4ED1781C7A8155D766C5E3EA169CBB637F1DC8BE3915679FAC8C748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.057{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912D4B7651B5E558B837AE0BFC11EA0E,SHA256=D636B4EDC329EC0C2EB74172D264FC7EDB710E9195DA56FF77A7C3286632B4C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.316{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.764{72106695-B35C-63D3-9803-00000000BD02}15525404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.576{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.572{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.536{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D626B972B58A57ED56DF5E4ACBCE26,SHA256=87AE8B86D9885391F461A57698A3A1FE8A7920135F564FC27CBA448F384465A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:56.152{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844036460BB11AC88B00E8A5D489382,SHA256=F0FEBC53D896773850681361DD5E44A6634DE3EB81B0E4494B27DF4274042BB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.143{72106695-B35B-63D3-9703-00000000BD02}18563160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.731{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD65C2EB810E79DD89FD3B8A7FA514,SHA256=E2F48613E1B967A15D1F743946B6F5656A5C4898447CBBBD80BA8071E449449B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:57.238{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C181F66862CFA7F86EE4D0E2A3DF5565,SHA256=391DF69A3261BC900EF190D3D620B7ACEC4F402AA6E5892ABF853780ACF2FDB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.125{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.822{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F923ABC6AADC550184E088715CE7A75,SHA256=E28F91A7A25DE60CF8D30957E4D3FC1280FF724ACED23F658D3B09E72CD5E077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.520{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50923-false10.0.1.12-8000- 23542300x8000000000000000446635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:58.311{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B6B434E97602DEE9B79C461EF27D72,SHA256=81D42A3A0789D69D4274E38356C3338EF8A80E37145D0A155C6A1D2D4A40C1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.453{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=975A04F65D3768A74817E995DB334013,SHA256=7B19DC295CD51EBFE4779AAB375AD4500ED6CA1957D4568032C8F9E6E7528A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.768{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:59.918{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E19E9F10A313B9FC032AA72C9801C78,SHA256=DF7538E95DE4EC8FBC8A5FF80064B2A90F0BDD403FBE3D3435ACC2996354D359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.532{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.496{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.429{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.423{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.414{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.403{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.393{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809AC2930A49C97F440A7447ABAF52F3,SHA256=48FBED29F86C35F5D02F971712435C07E3C5161EAF0FFEB4FC31A24AF6822F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.425{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369729BB0FAEF8F39C3F0102C559E9D4,SHA256=CA5583426D7107B0500A8BA64A973252F53E8B8A3D8B5ACF4A56ED7070E47E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.754{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.739{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.737{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.696{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.685{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.666{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.660{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.658{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.655{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.654{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.651{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.642{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.641{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.640{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.635{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.625{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.619{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.610{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.607{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.586{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.560{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.554{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.536{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.470{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.455{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.432{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.414{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.381{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.375{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.366{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.350{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.336{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.325{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.323{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000446660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.109{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.104{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.102{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.503{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E914A25976215888BE772BBA02E50509,SHA256=41EB8D549237BA3B30F676A89678D0F6FCC33ED1DA3505BCC644B6925A13BA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:01.159{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF0CEC9F1E39B711B85338CE43941C,SHA256=CA77D3C09404D1D32B7E3740FD3690D3CBA4BE8B2008ACF037505ECAD3E4DDEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.791{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.769{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.730{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.724{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.714{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.699{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.698{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.695{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.693{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.691{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.689{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77697FD3EAD7EC6D7AB80AD51A954050,SHA256=33C0C49692860CD30B72FC935A34936DF6FB00B3672AB7ED910C1666A1DE4F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBBBC1077461D1147C051F5145626F,SHA256=CE245D9400821905FA30E301F92458FAA7C0F4A4168E0808A218FB77B0201AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.182{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.167{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.157{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:03.786{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BDDF6CE945761C6CDDE99348EB3B62,SHA256=E5BE8931F5439B6AC75722D4B4B3B0484CF0BA8F9F31EFAFB2E38FD6E73645B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:03.377{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAE62C2D587899173D18BD06A6CBF0B,SHA256=85AB44A2EE3C1CFC8D8A171C3F57690F9C7C205CAE3D315606991A835883D46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB8FB7C775C27EBFA925E443936B16F,SHA256=74EC877D7A5B6E664B1199DC60C146A05A5D1E765426020C804ED5B631D0F862,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50924-false10.0.1.12-8000- 10341000x8000000000000000320390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.728{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.478{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AD5B64C89D843E32477BE313F40491,SHA256=BF250D13C2F5AFEA21F26CE08359FE4920CF78A8BAEEBBC3E2ECCD43AE223186,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.742{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.113{45AAC21C-9B96-63D3-2E00-00000000BC02}2804NT AUTHORITY\SYSTEMC:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\database_C64_5811_6457_FFBE\fsr00007.logMD5=AF4D225B60B65DEA33EF59F92EBCFC6A,SHA256=3FE807AB4B2509D9D058FC62DBB74CDEE8B5C3A1A66265522AF542733FAAA3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.004{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-098MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:05.575{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21325CC461ECBD7F1B42A80F166B159C,SHA256=23B91CC7D5A3CDE9933F1BC1EBCA065F62161716AA19047FD3A21A7AF5517F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:05.002{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.662{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8265681E334A63291C331EE4F28092C,SHA256=F5B79387570EEC18A4F08B9A74857237ED6842A057342C1335C55846220FCC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.082{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A7769EDE96FE7660080724390790B,SHA256=88C637D3854829779105BD58890111D0404EFD13863148F1AF6F0929C04DC439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:07.183{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8564C3AFF641AA446AF32BF3A20C371,SHA256=5BDB8ACE6D1CB827F2750BF5F845289563A5DCCC62132117A97A7045EA5CEBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:08.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2A81FF8AB1071BDEAD4056D62ED7BB,SHA256=E6A4E4245D747D798CCE697F0A22374CEF2BE3FBE946DCD992CC0ED610617CFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.764{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:09.350{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E922C80D1CF4A2355D447E23FCCC4E,SHA256=84DB221F8B0D28E0667D123318F0E25F21699F7726657EAE26C1954EF5F5B074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:10.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E513B27BA5FF0D69AA099315387FF6A0,SHA256=4781856ACD93C760FAC7CF4D3F37BCD9C820BBF78202D7408F0A0BB6DDE21FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:11.550{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9466F704BA96F37B3F33D5727FE08360,SHA256=FDE9557173C0F01FA8FF07FBF94909F4EA5C8434A24FA7D7523AC3A56A143F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:08.288{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50925-false10.0.1.12-8000- 23542300x8000000000000000446696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.772{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9809CD800390A5833B300E23FEEA8F,SHA256=F5CDB888688E31B2B544552766010583F8D0DE861A77FFCB33F95D4AA659D6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:12.212{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D997E1000D3C66CAC338D026C922815F,SHA256=E33371C747D54570379AE7C805B15721EB430C6CB14F005DDF22FA6C83299DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:13.972{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA2179D21707514B31A80B8E43BF2B1,SHA256=314A7533AFA181185755CD281DE0945D5ACB2A5FDFB0379F6F6B29E6F5CECEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:13.294{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B58ED8A256B6E3D7B7DDC87B50B1B75,SHA256=1196F0725795CCBC55BF0B461DA7FE557B74882EAC78200A22ECA88426D7B51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.988{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38BB658FE45C9E1285EA9DA5714AAF94,SHA256=37FEF2E395189EFE806ED416C8AA81943A45D441E2307E6BCFC4E3F63A118AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.497{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF834B56BB8FAAC6DE3E0392A2B38,SHA256=F0D757CEEC755C7DC4AB94C7952EF5D4D674DA2E0C37490D7BA45FAD117C9579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:15.597{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70F5C80A597C245A5C92EDD52469F81,SHA256=7516D294C77AA3BD1F38B76A9482A07B47E3C5F2C3A91970DBA338E9D888BC0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.749{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:15.073{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4D73BD1420EC1CCF1D0C06B41C6D90,SHA256=860D554570293B1025560A12EB3D3200E6C645DE79C4020939700C01277193E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:16.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697C2FA9065013EAFE0A5534AAFE673,SHA256=8ACCBFB169BB17FFD3488669E1999A9D0EFC273F49307648AF0B7A4E80E313E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148A156B8CDB6FED0B9C965AAE11B4DE,SHA256=80C39602CE011E89E03790653D17EAF96AF95AEC67AF664765DC01284167D348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.171{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E30F81A702F02EE3C1436A2BB3747475,SHA256=32488F6914C24F6982BD5C36FB6C181CAA1DF0CD20B639087CF649E9B91310B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.881{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E589BA203A9B9DA662AFCC50702DE95E,SHA256=E05AAC730F3ED670B425FF57C04D5D59C4441BE6414B8E694C87DE192F2D4D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C158F6B532AF7D01E63C5499D4D5F8,SHA256=10B5C519619CBC34A2EA01DE0966592A1BD57E4FC8AA5855444C770978F91346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.236{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=25928559D4423478D19F40F1766D0278,SHA256=23348DDF1B9FDA908ED7F7B7FA37042469FCDCC0600919827A3BA0B546E06B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.301{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50926-false10.0.1.12-8000- 23542300x8000000000000000320433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:18.963{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CE1784E06077BEAEAFFFFE0933487,SHA256=B6AC6D87FE8C770A1F40DA86A7F0D329ACAF037A9F19B26C78518470AB18CA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:18.355{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0299BE4F53DB9885959DF4CA8BA469,SHA256=180C7D18F41B34C7867C9484922F859D99D612C0BEC2C5681923FC35B6EA95DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.662{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.647{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.640{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.637{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.635{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.631{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.575{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.569{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.526{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.516{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.440{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99BF484FECC762A344E47BF9C45F72,SHA256=B2644C8E0DC75B0BC74C920CE0DEEC17932181207CFA76F57C8D768E2F892810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.306{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000320471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.981{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.947{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.940{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.872{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.860{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.826{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.806{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.801{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.793{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.788{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.783{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.773{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.769{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.761{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.758{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.754{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.749{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.735{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.708{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.697{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.686{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.683{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.669{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.642{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.637{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.621{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.559{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.548{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.530{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.516{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.485{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.456{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.410{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.383{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.372{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.351{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.341{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.292{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF3B4307B3F9DF7A98DACD8BB44CAB7,SHA256=9814CD77D3AAB1E5E8F763234200A07CA4588832AD7441FC9EBC76620BFF1ED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.458{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318FFECA826B6DAACF9BC4DF4B23E9A8,SHA256=ACD93D3F09E5F57E03FC39CD2FA77FB2F7AFB9F11D9840A116A0E754B3C2D0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.402{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:21.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167133BD4097A67DD5A1BA0EC21EF1A,SHA256=0FE05383A4C89417455BBAE1E676833BE4466A4F4C9A2D6510335290DA407721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:21.455{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070AE7B0C375FC2DD63B5A39500DE660,SHA256=E10234872A05137FBE563D3009074F7D9BF70ADE1C541416E4C6EA92E9B0E766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:22.977{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB100E5C4CC3A64A3E10598E01E57D,SHA256=9A36B8B9EEC745A37DD0A683951CE24CB4D0480F19F9BEAF0BA07ECCC1239549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.994{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.978{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.972{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.970{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.967{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.964{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.963{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.960{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.537{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF2F00747C65A0DE28F8A0BA9DEC591,SHA256=A1B530D4D927B0F7DB94A44D7D836317A2DAF0A5669CC32AC3D5F21C9D9B847B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.297{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50927-false10.0.1.12-8000- 10341000x8000000000000000446737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.434{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.624{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041F866AE72EBE71FC1DDCEE7F5955C3,SHA256=46768719E538F2FF28E7F85E4E310086F226315586D0572AD9A1697EFB42CE1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.069{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.048{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.043{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.034{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.021{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:24.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5149845FCDA86CC30FD41E5C515B23,SHA256=A81C780D1C2DF3A3915DC4592ABBCB0BA0F671D1ED405BBB852E18CA3CF8333B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:24.063{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B8334773C8B2C23BEAA0865E2A2B5,SHA256=457BDCEF088E0C5DCD23E6824B3777AE85ACF40A9DCDB24AE01D50FD4F3C3748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:25.821{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185778E62DC01D6FAFAA339F73F0F172,SHA256=29817013BDF70C1406C4E1FC29D580B10C3F8C8944F8730623C85D97994AF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.166{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273F29BA69DF537AE328418F8D489F53,SHA256=353E19C93648070E7A1262439387A4683953D23B3907700C9DFB0BCDC883D072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:26.272{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBC242640AA643BA55110CDD7DFA992,SHA256=2775E49D47F36A5550EE644C0AF15EA2C6EE578E201384DA36E2EFA62A5746C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.811{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.568{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D371484151D886A6ACBD93D6764528EC,SHA256=B837C371428EC780DEEB8B29C4311AA28BF01936B62435B9EB3FF41A0B96CE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.365{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BF62233977A9AB38CD79C572FB21CA,SHA256=E4CA7411BB2E80ECDEDFAD79BDCE7E3CBA12D71A63784436EDC513382C3AF38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:27.022{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5388432452CD2823A8098381EA74622,SHA256=2AFAA8D4A8A2E0F1172CBC8AA94B55F750E1F56B4F6D1A8FF60B61781984F55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.346{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50928-false10.0.1.12-8000- 23542300x8000000000000000320484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:28.469{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1012DE7CC1F704E0299FF8BA9B143A1D,SHA256=5FE772F986008AEE41EE048FC875E5CB6BFA3155EEB43F706CDEC2C5527095B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:28.329{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322E4AF7561D04AA447F12FBF594778F,SHA256=13B2220207780D5EE2EF72ECFA51752B8ADC04AF5360E49E214F742CD87D512E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:29.563{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4511EB127F2B21107892063983CB2FCB,SHA256=95FB90BF32D464425F1821798541795871D59802EC95122853BEB67D64BEDB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845243B512BD020D1F9D03DA2C843CEE,SHA256=EEB3615DF0096DB7A9A5977247536251D93E0E4109D0009C47C929FF4E49E9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:30.633{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FC20005AA9E78B2B085E899C9F9776,SHA256=F2B1122CD28225A8883108CB7DD8F8C07911A282F6B48A575C5909C231A09A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4056E579BEFFE78514372980C6743418,SHA256=4AFA19F43EE493F641C9FEE2FBDE0485D7E1BA55D681EB05462951F658B7DA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:31.762{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9EA80EFF591E32D7022CC40D12056A,SHA256=A98BBCD6AC7ED19630640EC7AB545A287A51CBBE12B40B32E51DF9FA73707BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F34EAAD19544FA3D8FD83C30D63E148,SHA256=52F52C380B99DC81B33E010B697A876BEF2C09067F4C977C22058D1D9F035FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:32.972{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4056CC26C7816640C40735AEE4D4DBC,SHA256=673AFC48129EB5AD65CBD1D816D4488CE720529E01DCD5B3044C9DD93B46CA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.929{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C16E697FBA4F2265175A9DF2387EC3C,SHA256=BCF5993C99271B01B9A316DFC7A91A5C83888743D28500E1227CCC8A8A2FF448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50929-false10.0.1.12-8000- 354300x8000000000000000446763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.712{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:34.068{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391CC83E0E0EEFBA574010BB392CCF3A,SHA256=38B8F61070BAD51E53E7F5AFB8B2893CED17D7D9BC207498CB1D7AB9F9A975F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.066{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3E4CAF5D1FE25AB8E479CB31AD19D0,SHA256=0CC6C943F34ADEB736B2E0655BBE1B31E24F8399B31CF44D9A12A246E1284F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3B4EC5BD6695FA92CF164849A4FB84,SHA256=C18832FD6BA099AC16293AA6282C0EA3E258943FE94F67B584034E0BABF32B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.120{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E99564E01E3F26A003DA70C9365B17,SHA256=568333C22FF091BB7C9F2016DF14C4EC3944DABAD30E1D7F8E9B0DBC24C49CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:36.258{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96C1721AEBC953B14CD3809D4F23EFD,SHA256=4EA83FE52A1AD5988B8D51ABA9ADEE8D555A15109FC89DC4C428343CB082C2D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.750{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000446770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:36.205{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEBA81F63196920A5ACB21927C02CB5,SHA256=3B658500F689AB2807DF71F0049F079D126BAD2347A9606FC6801E2A1136F311,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.511{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50930-false10.0.1.12-8000- 23542300x8000000000000000320494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:37.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1975795973E464A08EC6227D0116D5,SHA256=34811674FC5B03C0971623784792AF4A992BE50149B1CD85B069F7322EB508F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:37.300{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A267007CE075160D3E41171AFD5612D4,SHA256=3D39CED1AAF0C2B99A5539A367090C3310467F5416D365848A213B0C465D5BA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local65358- 354300x8000000000000000446773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.344{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53380- 354300x8000000000000000446772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.343{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local59591- 23542300x8000000000000000320497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.755{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD533E7B19629F9ECCE3698CCEAD57D,SHA256=0723DD95B5307664CB4EDB1BEAABE960032665F1EB46D45A03A8D252E1FFC2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:38.271{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0965909D79DDD42587E6C264C9392982,SHA256=16D7E1CA0213733BDD4142840080627963A7639EE80242C034EECB0B8420FE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.793{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000446776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52025- 23542300x8000000000000000320498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:39.541{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E4301ED2BDFAE7D4E20A3350F6F9BE,SHA256=92B1CA082E5336EBD749F2D6B1DB5D68DEF303556C7074BEDB617D31F1B7E5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.545{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.533{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.528{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.525{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.522{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.474{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.454{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.427{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.406{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.396{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.387{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.346{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8450BC877FFD3F7DB1D4F78E48288,SHA256=79525B30D4F6253F4050CEE1D594CEA4AB0B634E22B48C7005460EB2F61354E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.325{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.307{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.822{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.804{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.800{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.766{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.755{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.741{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.735{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.726{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.723{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.720{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.716{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.712{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.708{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 354300x8000000000000000320524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.008{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50931-false10.0.1.12-8089- 10341000x8000000000000000320523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.698{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.693{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.685{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.679{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.666{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.639{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000320517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD573487E4D913CBF0F5FFB65AC95981,SHA256=23E6016CD9EC42072B958D94F67CF0EA529BD96DABD930A581D4D04F0103DF7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.621{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.599{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.594{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.576{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.558{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.555{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000446804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.376{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DDA029D90A577E02029DB0FCBB6DF5,SHA256=CF8135B2BFC28D60F0532E6705BE4AFAF019D06007F421EADDC404AF52674B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.540{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.473{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.462{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.447{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.430{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.402{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.389{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.374{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.359{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.344{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.335{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.330{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000446803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.156{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.153{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.150{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.145{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.142{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.806{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361354175A6E3A038FB5E1277A80CD3,SHA256=C12F6048AC7EE0705639248AA745778300C401F60AF93F8E57CB77122D3E0245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:41.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591BEFD8692BEB1DEA4E82A7BCAE1EFA,SHA256=526D4A4D0CFC0FE9CD377A415851BF4775FF2FB8F54FEFD43DE3A99A3D83DDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:42.925{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0245F09475B69352DFDB08447844A6,SHA256=BCF81BF25499942A32E5538CA356173849D452D4BB03D0CDF14AD460CACB4316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.815{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.796{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.793{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.783{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.769{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.746{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.740{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.729{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.724{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.722{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.719{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.714{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.709{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.553{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DFA7C9DF7E6B14DCBC89CE5D01B48C,SHA256=77936B9B2A9896548D199AB0FAF81BB66DDDBA389DF73A5CCF33738B2EBCF893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000446811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.827{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000446810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.201{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.200{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.199{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.186{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.178{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:43.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E4ECC0D7AA5FAABAED532EE61BC2B,SHA256=172493BE8D55D19E35247BCE7C71593959F7F94876F6595D9079B03D877CF585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:44.822{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598493BAB1FDBE09C0B2795FF7A1D231,SHA256=2ABE456EE696E5FE05B6BF205A9BD40708941BFB3E8460FDA1814C31597E1FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.499{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50932-false10.0.1.12-8000- 23542300x8000000000000000320540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:44.005{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A36F43ED4BE405D88E9B16B33F2CA,SHA256=A1CF59B244C0E65A6F49C392D1DDE6F0AB5A10D91246E49705A0A40C6475D4C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.958{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.926{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D936C7119BAEDCD9167B697E58409E40,SHA256=13947095DD9FE2D0D15E9D06E8D0B251D9ABAC8491F802C4980DCAD6CD46DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:45.094{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F525FE941B05EAF8AF70FE4619EE76B,SHA256=785ACAC92AB870677D841CBE2482B5AE5681B8C6CC438DD1D9E6FF7FFF1A7D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:46.181{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC863D7CF5AFA4CCAC3C46B6BF3622F,SHA256=6F4FE8F9D5AAA1CC422121889123B81E79B2C772E4A8E72648F684DA666E8E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.631{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000446843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.170{45AAC21C-B38D-63D3-AE03-00000000BC02}48763008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=26C0E71D9551AECDF53DF6AE336BCC70,SHA256=030798747DD5D67ADECA77827C91EC4245B5F4760D780B8CAA59335F9C08F772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.075{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000446840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000446839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x8000000000000000320545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.542{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-099MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.273{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C6CD7AB479D9603AF0100751D4EB25,SHA256=6CCD5BED9B02AFE4D6DC6E9B7DC4BC2EB15AD0D7C0BFFCDBA2076C109ACCB677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.408{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A1B91F3BA43D5E279E235C61722F746,SHA256=F86ADB782C801A363257E8B8D11732AEE70FCD17382D68C176A6420DBB3EBA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.361{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E48DC6697706B3CF34036FED758D4F0,SHA256=744E4978D440C122D10B94C7A403D816E9FCA700D646E5F2F184833AC61D7F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.021{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320695F230B49777C1FF9196159A9D7D,SHA256=DB67D0CE05B56507C128446B982763A0751B5D0B793AA4A4A2ED2565970BCC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.555{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.363{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E621562CFEF6B29CC1E4F3B9B6FF51F3,SHA256=4EC3AE0E8F8B51B872A6D161130229E1555794EF2FF299C35EAE9DDFE40BE4FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.814{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52648-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:48.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44DCD969183947730E377A1DA6538CC,SHA256=64A488796530A2D0C65D470F288BE74DDE664D76F7BD3A16A37CAFF234C5F009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:49.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82D8B8DF0274B021F4C65DC59A8007A,SHA256=11A0415D2B9B15A1CB1B493DAE0A7E57AB9033FBC81F293724929FF195BC0D57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.911{45AAC21C-B391-63D3-B203-00000000BC02}53561972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.693{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000446876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000446874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.410{45AAC21C-B391-63D3-B103-00000000BC02}37364808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.207{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48349CC772F6E5D004B09EAC5E3E0CA2,SHA256=0A2D8E6F077A6397D18625919505C0062208C2C29802BE8A5C63A8AB3FA62932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.190{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:50.773{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84789003EC08DED80A4AA210C48F911,SHA256=0ED465CB8BD901CFB3869E2C45C4D1FC06DD9FF9ADB2B3021F930EA8BF1B6E12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.540{45AAC21C-B392-63D3-B303-00000000BC02}43685880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.369{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.290{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4920A9DF9DEE3E4940F7402A0D298EE8,SHA256=8670871B0DD29AC2F4B8CB7F425953E8C597030932C5106DE42F6116C025E637,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.410{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50933-false10.0.1.12-8000- 10341000x8000000000000000446904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.768{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.377{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431CAEAFB18497B146D5AC119D424E7,SHA256=F07B2D1A7784D7E6CAC59516A6B1D7F3983417444DF3073A500E6E992701CD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:51.859{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870CD3CC7BAC09421FEA53D352A9E56A,SHA256=5380C8A550F68362B2CD332837576205F199792EDBCEB462144210EDE0D19423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FFC9EF0B21DD81F1ECFD7CBDA55B09,SHA256=437B094F6D97B770D6789A3CD57D4199CEDD10D841B11599ADE03E23FA7BDC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3AD7776C7C04BEEE3CAFC8D6049838,SHA256=EB889F0A0FEC830E616841B578E82FBEC8617724564A9E78610AD9C1964D2970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.966{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F1E1B30AA4A15142AB6E1C3EE9A6B9,SHA256=F9D1F0595478CDEF551951E6E37E0B36C255EBFB0735A8CC9F2E1B7D245A8518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:53.781{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAE50C3AF69F3038D8B436DDAE308F6,SHA256=4E78D8BC31FC716846C2148BAF09209E2220211A54B65C0212757F7861DA3429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.961{72106695-B395-63D3-9A03-00000000BD02}54286104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.883{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8BD50C432523D50DE0396F05B32967C,SHA256=B67B8F6C8DECDAA506622C111F0E80772822D3E67E5A4BE9D323761DDAF6F3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.644{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:54.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FB2400EF1579DAD9A75889779819AF,SHA256=44A4EA3196F518B53CE1D6E1AC9303195CE31872ECA0DFCA924A66A132917A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.791{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000320584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.651{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1191B08C1C1AB746610FF6455D70670A,SHA256=07E75AB9B507D9697E402FE2A1E713D5B7B3EEB5424F0E940FF0730582F3CE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.636{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.385{72106695-B396-63D3-9B03-00000000BD02}43845172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320574