10341000x8000000000000000152920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.681{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EC-6322-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000152919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.587{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000152918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.578{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000152917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.288{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24A1E73822D5DF541595F68A07CCADC,SHA256=308A2DA4AFEB2CB6CE013D838C802D4597E09E270964CD724A68FFA15BAAF5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:36.413{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D7702065575FD351284A211AAB2330,SHA256=BB7C48114E724A64BEC9A41A46E0202741B0380601261B56C8F17CA9AFE1EF1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.996{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.994{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.985{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.982{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.973{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.970{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.958{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.949{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.923{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.914{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.905{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.896{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.883{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.879{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.871{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.857{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.847{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.837{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.834{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000124093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.529{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3389117E4BB0315BA75E3BB9EAE2CB63,SHA256=64CB672E757D8C15D0D511773CDD6FB54DD5CBF6B8357C960BE19D2E87E1329B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:37.739{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA3D125A74BA7F8219550B9C26CA4DA,SHA256=96F3F1298E0BEE8539F32022468B0A8FCEBD5B442A2D04FF683EFC38013F261D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:37.292{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBC8231104EB842A63115CEDABDD454,SHA256=82E4FA6E88A5E5C11E8DBA9B05E7309F0E6E99613FE218ACE7A621274CFFB036,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:35.537{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52942-false10.0.1.12-8000- 354300x8000000000000000124092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:34.122{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53655-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.781{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79105D63E3F71DDD46E7BC621271397,SHA256=353CBDDFC8C12629845A42884662E6ADD4ED85BAD5BE1EBB8AB2000E7D91A933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.779{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677739899D0DD595355B468F426E682C,SHA256=A37CEC3EBE0BF28589373B3D2DBD6D3D19FF546A7AE270FBD43630A23CEF782E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.678{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0833D64180EE55D4CDE734E3A27B63F3,SHA256=F872A399A52AB0F05ED4C646F55C259C7781E331DD60819AEB118014AD55B0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:38.400{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D2CBEE711A2704CA17CD8526E395BA,SHA256=7F7F2EAB6B53FEC1E135ACEFAA25900CAB1E976BA85D04F3139015A4344D2960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.191{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.188{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.185{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.183{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.168{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.168{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.164{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.155{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.147{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.145{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.115{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.073{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.070{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.046{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.038{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.025{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.020{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.018{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.012{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.010{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.007{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.004{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.003{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:38.000{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000124114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:37.999{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 354300x8000000000000000152929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.189{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local52945-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000152928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.189{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local52945-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000152927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.098{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52944-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000152926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.098{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52944-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000152925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.090{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local52943-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000152924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:36.090{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local52943-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000124147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:39.803{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB4E78E6669F4D291660B4A40E8D60C,SHA256=19B50D79943EEBF9E605A544D26B6B9B1DF692695448FCF5497D5462424390D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:39.406{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282DB69C0AF984C6256760EA8BBECC6D,SHA256=808EC3D2CAC55072B67304DBEF2CEC07E33F5F88BEA9BEE514811114C5925A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:40.930{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1886BB28C099D948846E7A8A3973A5,SHA256=A428A138DD661BF86C8CBCCF9B664ACF0EB244EF8BB9E6DB2C58EDCA9870958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:40.508{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B7039C989E1680255F066EB816FE7E,SHA256=A86C52C1CDA1920C123EE1F7CDDB70787D547510AD0189D51D8909C2543B91F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:41.946{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0429B5FD7C6093947B4D084CF1A2D1F3,SHA256=DCF07CA5198F582399134244E2821EF91182ED8DD2A99F84F205450029BD29A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:41.613{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC43B6116052009FA40D1505CBE0CB7,SHA256=CF7F71D1C541249ABAA0A8B1AF367A342F7701CA9EBEBD3F4A1B1EAC05A59443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:42.618{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3553E44BC62BDDECEE9F9178CA111DBF,SHA256=A6D45A77212A75E7F7442B98C09B0CC19F6A97C82113ECB49E23C8B5407EED73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:39.160{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53656-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000152934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:40.560{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52946-false10.0.1.12-8000- 23542300x8000000000000000152936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:43.723{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61B77D2892EED5884ACF07D65C140E3,SHA256=194D86677487D3705FCC9B9F292BEFFA13ADF0B468BA17B8B4E33BDEAF305740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:43.062{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F6B33955151B558230D496A30B8679,SHA256=E1A080B1599BAB1AFA7891B7782A3E135F0CF91C623382D0A94E01385AD18D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:44.829{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FDB22CC4D0F2C4B2F20F576BE7FC93,SHA256=D0A32D21F7692708087C6E01950E780094F439CEBD5F45C6B0D0092961C00071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:44.162{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9184BCAA0D44E0D051A8CD2E86F0B040,SHA256=C5F7B11E439AED65CB6F71AD9F06DFDDCE83BBDE5CD325905C29A4B2F7931A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.842{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFCA3ACBD1CF21092630E6AB80B63D8,SHA256=71E31C5FE0E86829D7451D7867739473DEF2927210ECFE8F3B8C15CDF52A7674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:45.251{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90FCFCA77C431105F191EF6DB203F62,SHA256=2263D11950BDA045D6DB82FC9A83BA0EA8F752230D22A42DC6022B5F442C786B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.681{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.679{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000152959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.634{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-314MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.268{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.261{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.250{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.246{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.234{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.228{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.227{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.225{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.219{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.179{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.164{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.158{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.151{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.144{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.136{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.126{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.119{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.109{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.100{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.052{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:45.049{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000152964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:46.946{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FB40B039F4EDEFF409F0FE045D0308,SHA256=33C13372F70BAE23831B341AC40C8B4AA3F607E300C512C78DCD8C41A5C2D236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:46.630{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-315MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:46.285{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5249E2361AF20774928953522AD708C2,SHA256=0465CD1E48C76440BE7123018B75931BD6B3A2F4E394AA9460100C4F07E47E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:47.315{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A215A1DCC1F48F2614A2C8452198C58A,SHA256=5A81A9DE93E7EFC457F75532133525B7F06E90FFF292CE95976361E502D761F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:47.694{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:47.692{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:47.685{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000152966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:47.685{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:47.682{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000124173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EB8-6323-A00B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-1EB8-6323-A00B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.931{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EB8-6323-A00B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.932{E743DC12-1EB8-6323-A00B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EB8-6323-9F0B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1EB8-6323-9F0B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.431{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EB8-6323-9F0B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.432{E743DC12-1EB8-6323-9F0B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:48.401{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0424C8FD88CA3D05FD9499C5C7F3541,SHA256=3759D26154264B210BAB9F8756F6421DA31CD6AE30C4317AF02D6073467738CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.474{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4AAC8340D7D5CD0378AF36806B911F,SHA256=851BAB47A4037A4C18451AEA7EABE0B25BD3D5D8A4783246548B8265AC05C7CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.441{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.440{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.437{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.434{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.432{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.429{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.410{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.380{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.378{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.376{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.366{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.364{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.363{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.360{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.357{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.354{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.353{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.353{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.347{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.344{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.330{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.326{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.303{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.301{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.283{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.272{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.238{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.230{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.221{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.216{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.214{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.212{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.209{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.207{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.206{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.202{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.200{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000152971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.198{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000152970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:48.056{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114B7F89786E98AA79C1E551D7E88941,SHA256=9F861698CBFE276420B6815F3B4E85C2A4EFAC27824A14C09F451271537EA283,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:45.023{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53657-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000124185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.555{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EB9-6323-A10B-000000007502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.553{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.553{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.551{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.551{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.551{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1EB9-6323-A10B-000000007502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.551{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EB9-6323-A10B-000000007502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.550{E743DC12-1EB9-6323-A10B-000000007502}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.516{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA0149035A2880D269053F6A83F41B7,SHA256=1C10A2BD62310C29C5AF6B79912733DC0C3BD230253B09E87B30192895040FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.479{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71226E959343B1FED208F7BCCBE9777E,SHA256=1795B76855D0B394F13FACF0B2FC15DE2AD92672A42D679DAF546313533B4B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:49.519{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90BAE143889C450E62CDE47B39B84CD,SHA256=CDEFE56AB911CA53FC3127CFF1085F290A094765D0BE156AD13D50DBF05BD826,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:46.544{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52947-false10.0.1.12-8000- 23542300x8000000000000000124175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.381{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AA8E9ADBC5CD53AD238F41C951049151,SHA256=038B96AB191FABA005FF0914FBFAD5CA33EF2940DB11AC7BB9BFDAAE4158BE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:49.115{E743DC12-1EB8-6323-A00B-000000007502}1904916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.962{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=D4CEE600D579D93896BD66B7FC0B0F4C,SHA256=450ABECD72EDBF07B9CB8BFB085D62F0833857EEA5DC165D7DAA699188667E75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.931{E743DC12-1EBA-6323-A30B-000000007502}4284228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EBA-6323-A30B-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1EBA-6323-A30B-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.731{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EBA-6323-A30B-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.732{E743DC12-1EBA-6323-A30B-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.531{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DE49DE315C2B4D660AC5D9C96E43E8,SHA256=46E9BF7E9EC85DAA576BD0407D86FDFFFBA7F6F339F447C9C2DABD946B8B4315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:50.273{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404D937F1A769AABDC41C329C06F539C,SHA256=B0B8AA59FC94F1A6C0E2808AD5095C9BCC7A6876D1054D0E2301D0B208E93A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.367{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000124198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.367{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000124197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.367{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000124196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.366{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000124195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.366{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000124194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.366{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000124193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.232{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.231{E743DC12-1EBA-6323-A20B-000000007502}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.662{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDAC0C2CFD4B5760C2226DF6D31FBCB,SHA256=8617AE7685103A5D2ABA023A6E59827BECF15B0D2AE4CD86206E584296113057,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.615{E743DC12-1EBB-6323-A40B-000000007502}53204684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:51.278{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0BCC92FAF53E385DE17EE5009144DC,SHA256=21C5682A7F75A3565E10CF5EBD49937D43FD90C79950F3763B14A7FE1E0D0632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.404{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EBB-6323-A40B-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.401{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.401{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.400{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1EBB-6323-A40B-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.400{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.400{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.400{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EBB-6323-A40B-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.399{E743DC12-1EBB-6323-A40B-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:51.015{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CDE30D399145C00A0A14FC5B4A71FF7B,SHA256=D6370355BE6BDF34CCD447C8FE876DA27E56B395F00F6B059329370A85AD834B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.647{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D32F74921DFD0C37710E42AA536D81,SHA256=46BA08723577582A5F329B3CD725842AE49E796791263378456F70805F2A7D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:52.382{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD868293184179AA180BD03B4A0E349A,SHA256=70BB5141A4EACB61FF01344F675B1B9EA5D1C4EFACD08CA464FC386334C9CEB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.247{E743DC12-1EBC-6323-A50B-000000007502}56043060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.083{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EBC-6323-A50B-000000007502}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.081{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.080{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.080{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.080{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.080{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-1EBC-6323-A50B-000000007502}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.080{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EBC-6323-A50B-000000007502}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:52.079{E743DC12-1EBC-6323-A50B-000000007502}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:53.681{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6171509531095FB0C9A030B5246C3BB6,SHA256=DAFAADAAAD6451491A26CB9E97F499F7DD1609DF8F3F0275644479324E2925FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:53.945{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CFA5937C8E4A694CB78A24E5E3A4B2AE,SHA256=D5C11963117BB872A3814BDC62A7D766295A5819AE9EF8BDFD6121D65DCE36F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:53.485{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3B099F483ECE4C9809DBD0C6F2D297,SHA256=6E4AE9FC03A5A909C1AC0BAF5620868265AD68208BD9A9F1932A1754E80BA494,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:51.617{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52948-false10.0.1.12-8000- 354300x8000000000000000124232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:50.054{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:54.732{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AEE389925EBF23AA3613845D129824,SHA256=1D7C3E5C26E353805E5575412832B67EE452240735D37DF5E214BAF0F21781EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:54.488{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833108F43AA583982044BE6F0F02DB21,SHA256=952B26D4AC2D36C0EDB1F18F9F50FF8A64941F369B8A874F6BD9A022EE75B377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:55.748{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1BBAF2DA1F9E895632F1150B4D7335,SHA256=45069EF1ED86DD2DE6B533C5AB7C19ECF1B156818C0BDA024A7050E5467601A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:55.492{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACD8308F7A53691DF9945EB918D7B6D,SHA256=B7A8CF7079222AAE18A6CED86BD12A56CECF6EA2623EB811354D25D22DF8D594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:56.780{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30016C6A35978AE409E5BE9128C53780,SHA256=29AB85D7213A60C480570B005CB8A5E853474E3352E54D88BE93F4BD09EF4857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:56.496{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56675C04BB295B38E8742C4BB8DBCAFE,SHA256=DAEF2D272E4EE5DB43288779F98B43FAD1E6DD2E386F9585D6C032EE9CADD42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:57.601{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB737E923584B626313863BAE2D8DF1,SHA256=3B7CF748C2222E8F08D66BA7F30F6F4B9B43F20C201B06C1CC8F29EB66A02545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.999{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.995{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.992{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.988{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.980{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.978{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.964{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.953{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.925{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.917{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000124246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.905{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACC8753C110BD99B74A968E51C861CF,SHA256=0914DCB90189C4BDC00927F0E515E6229291FD6C0702A5A391604783162DA057,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.898{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.884{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.871{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.865{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.857{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.848{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.839{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.831{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:57.828{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000153022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:58.705{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CD7422227D2954B9D12534A3B9B200,SHA256=28EF91137FC5C16F1983C93BDEA7013017B5D283F068BA586AC625CCFA08B0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.883{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50877FC14F9F922DB2F7AAFCDC042ED3,SHA256=E0E9DE744C0179AFE1DE74126A352EA6AA4B8F16E0AE791B12D722A6701C548C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:55.155{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.349{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54CA21ACFC73C3D5F06A8125232A0C2,SHA256=81C6C34E1AA5895237EF5C9CE98736CA7321101ABB63256BAFBCA947D2A72109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.184{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.171{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.167{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.153{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.153{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.150{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.146{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.143{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.139{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.129{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.126{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.108{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.093{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.084{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.050{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.037{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.026{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.021{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.019{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.017{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.015{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.014{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.007{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.006{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.004{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.003{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:46:58.001{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000153023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:59.708{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BDA33D4E5682FEB39C00FDBD82DD23,SHA256=2A380FF005416DF35C56E8AA70E47A03526A9D2C1BF8EAB58FFD627BF0F61620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:00.814{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B21DF0EBD6881EF59B13D08512AF80F,SHA256=D2F79DD21BF2A649433E6430D23B9074534F677EBA46ABE8D51B2064106E07CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:00.018{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3DAB0CC8E2729662304DF66776BFBB,SHA256=E419660EB5EA3BDEE1080EAFBA0B99E052053621060D710350FCB84F308D1CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:46:57.606{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52949-false10.0.1.12-8000- 23542300x8000000000000000153026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:01.818{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75EA29E17F62ED33CA4B45E68B80C68,SHA256=50360E37EA3820C2CDFC1438323350498D7D9A278E9074A5BEF6EB8AA6FD6D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:01.134{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E2655FF3668FEBD3C09446A972B69B,SHA256=9D81E46595019EB5BF85B91F457BAF55F727A2F4C225B3EC96A0AE7611026F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:02.923{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0DE9081786F97FD609D84EBAB56EC8,SHA256=71C04E224AB030405335EED948D25832140FB75A04C75EAC6DE7CAC224DBB17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:02.151{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8836A03BC586348502FEF76A1450594B,SHA256=D85B410E75D988A69C673E82264B5CC9AD6B918032CA6A99FCBE3A013310E38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:03.931{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A1875BBF7DC3219914696402543FE8,SHA256=CCCD1BBAD34CA74B87457D8C17E764630FB42939A44578D212C35A04B97A3F82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:01.161{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53660-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:03.255{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA9BAE7860CD0C9081B8FE33975615B,SHA256=6543030D6B2BA7F4E19ADB90828A0C87329E57D5F0BBB7EFAB38663C0E3B04F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:03.824{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1832D333E7F732A7F8C669772F6FDA13,SHA256=F9BEFE6B33285B8A5E3F0331EDF51038639A751830991E65FF7FF1A8DAD9D64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:04.372{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B830848AF0310E834A2711BEC1AAEBB,SHA256=C7316955FABC6B6FDC58FE705AE22666D96C496AA0CF7D1EB53A871FAA14E1D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:02.273{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52950-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000153030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:02.273{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52950-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000124297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:05.411{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FB1E7D313DCD9F570981EF5DF6D15C,SHA256=973816E49F08058BE35565FEDF6223155D40F3E5BDB620AB758BE9232EC7EBE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.681{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.680{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 354300x8000000000000000153054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:02.741{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52951-false10.0.1.12-8000- 10341000x8000000000000000153053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.240{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.231{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.216{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.204{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.196{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.192{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.188{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.186{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.180{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.152{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.138{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.134{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.127{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.119{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.111{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.101{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.095{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.083{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.074{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.038{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D08F4F5C82CC4F791AC5F382FCA4D19,SHA256=2B2D499241CE26F699AA3F7865BDA7A9B3F10F398CCDB246E782206289B578AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.029{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:05.026{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000124298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:06.440{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C393486BD1FA1D2FF572F629DB6F0651,SHA256=09D2719D4F13BB2849D1F4329970EBEE8DF545B9412DA0FAC7598B3F6867AE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:06.251{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ABDF8B2B5F44E2D3198F53B952E967,SHA256=C660FA08128925371CEFD70C9B9F5B40EF144671B26AA239C1D1A4451A1C3A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:07.692{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:07.690{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:07.685{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:07.683{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:07.358{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28ABE7E9E4736500EC7C7D734E70E4C,SHA256=63BDFCA7D50FCC86ADE95CBF03A2FD9B87E1591EE053B10EAB2E14E1A1530784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:07.541{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D73CB974A8985F01F77CD469D341A67,SHA256=4D8132BAC99BD2520D252DD0FD2DE7264FC95FD69C3E5C1193584ADCAC08E777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.843{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF923C2ED1181F714203D516E4E452A,SHA256=71D7A37C0EAF77758D789D9E06B2002AA2D9DCD401F1D56DCFA0895C55643C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.495{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.494{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.491{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.489{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.487{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.483{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.469{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.444{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.442{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.439{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.420{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.417{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.415{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.405{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000124303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:08.557{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AC284F2F237B02C479860AF9FD4759,SHA256=9B33E57FFAE95B867AE49D38A5528049B589C09D511D7DD2ED753DA90388CC37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:08.542{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txt2022-09-15 12:47:08.542 23542300x8000000000000000124301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:08.542{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000124300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:08.542{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txt2022-09-15 12:47:08.542 10341000x8000000000000000153086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.401{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.397{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.393{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.393{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.389{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.386{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.372{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.370{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.342{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.340{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.312{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.297{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.251{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.243{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.226{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.219{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.218{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.211{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.209{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.206{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.200{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.198{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.197{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.195{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:09.581{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2641FDE1168BAC149F63E59E725C8B15,SHA256=24E0623727F74360E433358B84800979F99A41319314C31D99AF2216325FBC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:09.576{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1ABFD49E3B20855D947D500B4C2AC0D,SHA256=10933972AFC9D0926721D1206290F5698EE00E03BB703B7AE7A48222DB5DF2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:10.691{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18505431CDBC34C72540529120FCD28,SHA256=2C25572786C26B5FFA6949B337B0E4A3EE66AAF8FFD6D1DB99E321620DB6DB75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:07.102{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53661-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000153104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:10.684{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9004A68AA6175770DF77721800A10CEB,SHA256=0E10BC0F36EB162E9075946BAC5445413C9C14E2F8AD1DDE081DF5D3041A115F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:08.657{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52952-false10.0.1.12-8000- 23542300x8000000000000000124307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:11.710{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BC3058BB01B204B3E8B2B6F33032C9,SHA256=D1B1CB1749D9E0D555D17FA27C3F07EC2691CCFFF6B55B31DD03B03E2663ECAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:11.788{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAEDD8DC8002D3A430B20F949E93D30,SHA256=6045CCAAFCB37EEA7DF03E88199D17E79A1BC2DDC974215386F5E335F9364B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:12.894{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5706C3012C5FD2130A462B7FF129C5B,SHA256=447F5F6E5F0860984FC98D8829E63C3BE4B0B9B42DB2325CEE69BE2A21D28715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:12.796{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78E82178697CC470DA19C40CAE1DC24,SHA256=90849D3A6EECD5AA0E674B1672DF767A51A59C0E54DEF8EBAF4D7AACD21A3396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:12.111{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:12.111{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:13.911{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336B32B254705D7195B679B628A1CCE1,SHA256=D6343F82E13F913C2731127F39090529CF7BF1BEC19A2344A917457D56D600CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:14.948{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D789EA90ED29CC98173AF92A16ED846,SHA256=93834D6CEDE47C8BFE068083509A99E1CE38ADC5C79FBA05D20863D8BF95832A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:14.000{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082D5AF12A59E5FC02C074CE30E0EB64,SHA256=4C930CD339E2AF398D2186E5CB5222F68FE7AA8CA9812A778C0A2FD05C683B72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:14.561{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:14.561{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:13.085{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000153113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:13.758{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52953-false10.0.1.12-8000- 23542300x8000000000000000153112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.738{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000153111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.432{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 12:47:15.430 23542300x8000000000000000153110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.432{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000153109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.430{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 12:47:15.430 23542300x8000000000000000153108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.105{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CAD1EBF65A7DF72BCC3BCEB7C9FC8B,SHA256=B0C7EC9680DE83A6015A74E16F71FB9E8AA6C577266F47830DE96868A4E531F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:16.077{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEB57C66C05E007E007F7D205F8FA88,SHA256=C985BBB3D1C7146FC300030848F3BF79D05B54D3A27D8CAFCE02766FCBDFB6EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.233{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52954-false10.0.1.12-8089- 23542300x8000000000000000153114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:16.212{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E58CD1312C5F070044B2FAB7031A4F2,SHA256=0A3E1C050CA7D7344C8429B1877998ACA63E63FB334348718BB9FBD04499179A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.978{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52955-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000153118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.964{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59819- 354300x8000000000000000153117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:15.962{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60656- 23542300x8000000000000000153116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:17.217{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6987B6D28F8C263BDA87A2875189630,SHA256=0998B517005C8F158DC54AB6D5D2E0A4CF345E22FD187DA8C126B591DE79D4DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.998{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.995{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.993{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.992{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.988{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.986{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.985{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.983{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.981{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.979{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.978{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.974{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.971{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.968{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.962{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.960{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.950{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.938{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.912{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.905{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.897{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.890{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.881{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.875{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.866{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.857{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.848{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.840{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.836{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000124317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.132{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964164CE9F7EDF0246B8E7AC637DE33,SHA256=992A44F7A09DBD0940589C730D71861DD10072496747126C54F892E766A758B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:16.099{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52956-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000153121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:16.084{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52541- 23542300x8000000000000000153120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:18.226{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93848DA90408BCCCDC95E93EB207EE4,SHA256=A9B6041C6D6A8E236170962A0BB18993B99552E42B838EB78E886D4498C1C410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.933{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.196{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543350BA303C4BA69AB8B049B8F6AE6,SHA256=848BE662153BD86CE0463BD4F4CD269050EA7F2F411B56203329B85FB8D7B44B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.143{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.141{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.137{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.127{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.125{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.112{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.111{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.110{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.107{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.104{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.100{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.091{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.083{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.081{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.064{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.052{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.043{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.020{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.014{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.005{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000124347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:18.000{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000153123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:19.231{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52F9DDDB0F1A4752E80E469074CA036,SHA256=D6156FD595186E06FBF1C66700B6C32F56A24A3C7954360B05979D83C25BCA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:19.279{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2A44E36BDADC9AE2F53F89544A7C41,SHA256=DA513E8AC564FC5264AC21ECD2321ABEBB2BA2DA7A3B2F32EC34024351E92FE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:19.179{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:19.179{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000153144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:18.082{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57774- 354300x8000000000000000153143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:18.081{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65384- 354300x8000000000000000153142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:18.080{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58749- 23542300x8000000000000000153141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.652{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67E1BE9D49553A2424502A3E5D3AF7D3,SHA256=401C8838ABFD20723F1B95E28890704019C67EC351672D69B8BF507AEC076DB0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000153140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:18.568{6820D070-EFF0-6322-ED08-000000007402}4396e14801.x.akamaiedge.net0104.91.172.94;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000153139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:18.568{6820D070-EFF0-6322-ED08-000000007402}4396www.homedepot.com0type: 5 www.homedepot.com.edgekey.net;type: 5 e14801.x.akamaiedge.net;::ffff:104.91.172.94;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000153138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.553{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.552{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.552{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.552{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.551{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.551{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.352{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.350{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.350{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.350{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.350{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.350{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.349{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.348{6820D070-1ED8-6323-D313-000000007402}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:20.235{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0751707ED0996E2E1D2FEE923031918,SHA256=6C7E2F59A82BFBE71E7942C1367065DDFD6A8173D27CF3EBFB58FC9CCA63E471,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:17.886{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000124377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:20.263{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39FF85DC3C031ECCE2F7ED289952F18,SHA256=27213D4C20348A26F9D4B4F311A312A778AFCC5616ADC7CCC4612A3CC9042D69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:20.247{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:20.247{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:20.247{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:20.234{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:19.040{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53664-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:21.433{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=092689EB215EA198996D03D15BF1D803,SHA256=16E4A9B4A2CE267818B9CE2EDFD0FEF883CA5996513A757CBDEC6631AFDD5A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:21.279{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475A6AF9C404CB7DC07CDF7DAC0066E4,SHA256=3E0C07D5FB8B22B111BF7FBD9F6AD9B2F2AF05AADB94DFBCE268EC063BA8C603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.902{6820D070-1ED9-6323-D513-000000007402}79047868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000153165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:19.524{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52957-false10.0.1.12-8000- 23542300x8000000000000000153164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.690{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AE3C4C1BCF70E39D5D55CBE3F48DFC,SHA256=F2FE5FAE73A339AF75881F8F322D793A29102F35801BF62376796B45BD7E6C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.690{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AF5BE9062B184D83259AB7DA6BC1856,SHA256=F481600106EEE9BF5CFFE28AAB6A710F8F0825C75458327B6BEC2637FE0F6F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.687{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1ED9-6323-D513-000000007402}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.684{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.684{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.683{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.682{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.682{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1ED9-6323-D513-000000007402}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.681{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1ED9-6323-D513-000000007402}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.680{6820D070-1ED9-6323-D513-000000007402}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.576{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\28624MD5=AC69F52F153E80BDE5910114B457FD18,SHA256=3C819AD216D9405E15691DCC919EE9A308E0518A3694AACB9F3B7EDC7915588D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.222{6820D070-1ED9-6323-D413-000000007402}73367956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.018{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1ED9-6323-D413-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.016{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.016{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.015{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.015{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.015{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1ED9-6323-D413-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.015{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1ED9-6323-D413-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:21.013{6820D070-1ED9-6323-D413-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:21.233{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=51A69930E2517851224BB44ED0A9F0D2,SHA256=05187B0771FE1F1DC4803C7CA6938CA2C0142C9C58CF0760461B9A8B844F1147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:21.233{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.662{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D27BAEDD47B4ED8AEC84C9EA5487F6F,SHA256=70A1B9E8940A7CD2B5C7B265086CCE62A945E9648558991BB92F6E821506DF88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:22.817{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:22.817{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:22.378{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DFF974179A9116904D75B5E77F0B90,SHA256=58C7DCCFB1BFB7CBEADB7BB5C61F690F634F362048E6F374000BA6271B1E9EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.353{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1EDA-6323-D613-000000007402}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.351{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.351{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.350{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.350{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.350{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1EDA-6323-D613-000000007402}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.350{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1EDA-6323-D613-000000007402}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:22.349{6820D070-1EDA-6323-D613-000000007402}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000153194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.898{6820D070-1EDB-6323-D813-000000007402}56125364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.769{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CBB54B08DAFD4998711170C194677A,SHA256=B7E3F4A7B4C917F02639CDEB8EE985A76C0976CA4B9C46FA6524365CA01E525F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.686{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1EDB-6323-D813-000000007402}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.683{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.683{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.682{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.682{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.682{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1EDB-6323-D813-000000007402}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.682{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1EDB-6323-D813-000000007402}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.680{6820D070-1EDB-6323-D813-000000007402}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:23.437{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AFA89220D213575D31B338204537B3,SHA256=9847E15C5E828BD52BBBAA72FD73F44F2696A76B1635F2DA5CD76815E88D49D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.164{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7C8EB38368F379E277A0E2BC64D3B58D,SHA256=E0156DDAA224797946BED5BD73821A049794C538CCAE0AB5B89DD3E59099C651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.018{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1EDB-6323-D713-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.016{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.016{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.016{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.016{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.015{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1EDB-6323-D713-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.015{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1EDB-6323-D713-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:23.014{6820D070-1EDB-6323-D713-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.779{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C941066A88F0FCD690844C08FE24A75,SHA256=F8D9E205AB57D352708BCE927EF5BCECDC4003306579CECFF2243F125586C3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:24.500{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0702385F16334931B34A641E83305FA8,SHA256=CD46B45C84298E94A448365006FE75B397819750D5E5DB67F2EA016DDCF330B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.447{6820D070-1EDC-6323-D913-000000007402}18408084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.260{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1EDC-6323-D913-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.258{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.258{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.258{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.258{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.258{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1EDC-6323-D913-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.257{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1EDC-6323-D913-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.256{6820D070-1EDC-6323-D913-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.791{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85BEBBA7EB3AE5899F74CBF88A60966,SHA256=7B1622F16D7CC489C40FEAB8A37D41115DB49A58ACDD3ABDEEA502642B37136D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:25.745{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-305MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:25.542{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DAD9A6166AA1AA10E145DB2FBD6BF2,SHA256=AC7776D547841972FF34269E5F7746136CEE93AFF34C4A9E325709C00E7416B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.644{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.642{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.231{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.225{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.214{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.210{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.203{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.201{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.198{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.196{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.186{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.160{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.147{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.143{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.136{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.127{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.117{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.106{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.100{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.090{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.083{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.035{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:25.033{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 23542300x8000000000000000153230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:26.894{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8783820545BE0C7D9727A5DD8CC249,SHA256=D5803699AEB25FD397185BB298C57D5A6AC8CC001192FD1012DBFCB761123DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:26.750{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-306MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:26.624{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C814D9142278FAFF17E761030EB5A389,SHA256=8FEAB3414922DC5A3DD435557120A4CB8AA302528BACF924E99080E36C401CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:24.593{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52958-false10.0.1.12-8000- 23542300x8000000000000000124396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:27.678{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3525C2BA257F07C2234D827950B9DF0E,SHA256=62E393E3669DD0844C2F22037EA63CE37F7874BEA16C8BE9F677FAD6F6E4F342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:27.901{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5A89E226C79E040A07428ABB8B10A5,SHA256=DAF4EE2EDD768BA6C4E002620B55F0F98F5AF73577B6B999FD0EC7AE591B3915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:27.652{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:27.651{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:27.646{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:27.644{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000124395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:27.076{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:27.076{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:24.046{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000153322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.956{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725CCADD690EBF0218C391BAD09C4A27,SHA256=539841D919D59ECC4F67E5F16F9005A7D307DEEF5A01786DE8513019CAF3B239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:28.729{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D8E81E9E50EC18CFA347B5E42D66C0,SHA256=C05BF8001E7AE0DE719D799661D79235D41ECAEB623311592FCF14BE97456AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.888{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1182A56663327B1E9CE909289923690E,SHA256=1DAD31F8843D127DD26CE834DD7214EFC993F805820131AD802309DFF77BE1FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.580{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.578{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2E1D4C3729132CEC84CDFB8691B1BAE7,SHA256=C7712948703E0F73709D398532ED441C84E1D2D7D0E3E2CE8A287E4B26CD79EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.432{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.428{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.426{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.421{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.418{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.411{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.392{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.362{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.357{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.355{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.343{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.338{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.335{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.332{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.329{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.326{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.325{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.325{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.320{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.317{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.307{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.304{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.280{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.279{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.259{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.247{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.197{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.190{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.180{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.175{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.173{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.170{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.167{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.164{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.163{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.158{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.157{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 10341000x8000000000000000153236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:28.155{6820D070-DD11-6322-8606-000000007402}52805308C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038850) 23542300x8000000000000000124401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:29.816{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33C5FA5A63807A2673A2D6BAC4690D9,SHA256=DB51735312B4D2FD11260BF54F7A21C9E27FEC819A9545BFE1B69A0AA903DBD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:29.730{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:29.746{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:29.598{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:29.598{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:30.856{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F9D656DD6C4303DE07D7B1365A0E6E,SHA256=08CF446FB79AF24A71A7CE49A7A07F47A8961C7F862A63D1921A5F5CB96B1A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:30.034{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCFD49E7E80BDCB5F3C83B4083FFF47,SHA256=EF24D40861A0CC853DEFDE5F4E3CC9CF4644A79316C3730D8B312FD68FB969F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:31.889{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D091368C2B0241D566D3BC795E01F0,SHA256=E06FE6A26F7BCB329DEE334306C73D07CCE69AF508DEDB59AF7F1DA9836F06EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:29.728{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52959-false10.0.1.12-8000- 23542300x8000000000000000153326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:31.121{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E048C017BD50740511E5C6BAC56C729E,SHA256=D1183E8DD298D85BE44D2FB14776963AE5D11DC4F676DFF44349B677191C6973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:31.038{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CA0BA15A2AF43F035CE975C8C4339E,SHA256=79CEB77E797BCDC8D5EE9B07103FBB927FB2A66A9B6C1428EF41F87E0102BEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:32.941{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF72F24025234E1F6419116307A90D3,SHA256=8F11C01832BA7D020BB5581F0CE581EA91992E7396BAD3EAB4BC64FCB994C06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:32.144{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F370F29F094536B46EEF91CC1AD163D3,SHA256=219F9ADB5132CEADD86D2DEF0FC9AFCCC5805C975A20DBDD6DF12BF25C853230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:32.345{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000124405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:32.345{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:32.345{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF11f7606.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:33.149{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A335AEED06EAF75BD5C238E367468B,SHA256=2F6CC3FC43240EF88D12FB240C06C1A620B948DAA5E81B57BF8429D77C31105D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:29.131{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:34.078{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06C5B5A0B269007B2B90B8DAAD372C8,SHA256=7154F9AEE2A684EA9E1312C960B56A0F1CA9D4CAC24A083ABF7FB5D1A867908D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:34.252{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A731A28375A4557F95404B30FB16186,SHA256=37B3350BFA0B149A97BE1795EBB59207315E9116A8B552493CB439B97F99E769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:35.357{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5BC0A6DC3FF09F279F207285747E14,SHA256=3C7D064406E723CF13BE8CF487499BD77F53F976A5A24C054BF8D3AF0768760B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:35.166{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE820B0268590D9C33124C1B1C96183B,SHA256=057B0556A27DC0CC3DFB25A58C26D3005ACC3C6D89110C279B0043ACE11A13F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:36.361{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26C2D6DF8F9CBDF03E08F0598B7214E,SHA256=5941CD100A305DE027C52B498551CA779DA09F7DDFCD21E16729FCCDB1012411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:36.313{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:36.313{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:36.228{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B8CF068AEC8816329C8F1D9A285D7A,SHA256=E378C0FB46BB1D93E1465015400C6A4BB66512DCAE4BD412775E04C864C1316D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:36.012{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:36.012{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000153335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:35.555{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52960-false10.0.1.12-8000- 10341000x8000000000000000153334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:37.716{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:37.465{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4482DC098462937D6CC70BD8E1A313A2,SHA256=2760B8F98DCDCE39DD187418651F7E0FC435BC286FD5987C5B864B350FE1A644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.996{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.994{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.992{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.990{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.986{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.982{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.978{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.967{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.965{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.953{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.940{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.915{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.907{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.897{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.888{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.871{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.865{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.858{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.849{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.840{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.832{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.828{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000124418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.299{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8EEBB055930CE9768437B2D7A31C4E,SHA256=9E1F119D69ACE47E417551B6CEAFEAB2A475DAB3A85F00C7395F7B6D4238824A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.183{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.183{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:38.572{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56898A9BC6D579DE28AB330583715A4,SHA256=C74E25409A96871C9B0943262B0AF2CF9545C734C9475AF53AFE8E4D17FA0B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.685{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=89CC854BAA8CD8EC7B42071490B4132D,SHA256=D9F99E0AEDED97A3E08AE42374D5B7C9EA5B168A229304FC4C135E3154513C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.500{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05F71D8D41C88402C9CA5F54AF13C30,SHA256=23B5107CC02A99123779FBA9F3B3CA8B8C4FEE9B856392535D1A3C4CD545D5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.500{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FE0A9AF5DF2E9449188DBD197F67DD,SHA256=9D7007C44C25770A4DACE5051C081B91B0CA86F1B5E84E3685CA9F98A1CE9A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:35.143{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000124468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.178{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.175{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.172{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.170{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.152{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.146{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.141{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.138{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.128{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.125{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.103{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.088{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.078{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.050{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.042{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.024{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.018{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.016{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.014{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.011{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.010{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.005{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:38.000{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:37.999{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000153337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:39.575{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A383235ACAED5840D75022DAD3EBE7EE,SHA256=59099D51EF47782F6B9D2536AA86D21B2E95EA433D757722E1229FE746101DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:39.579{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E417E64E01536DD9A813E731F4216C,SHA256=57EE8339DBD04D8140A07C4F5949ED436960709147A26BA538F2CE6117007A89,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000124482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000124481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x011f90e1) 13241300x8000000000000000124480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8f8-0xf4944028) 13241300x8000000000000000124479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c901-0x5658a828) 13241300x8000000000000000124478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c909-0xb81d1028) 13241300x8000000000000000124477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000124476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x011f90e1) 13241300x8000000000000000124475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8f8-0xf4944028) 13241300x8000000000000000124474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c901-0x5658a828) 13241300x8000000000000000124473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:47:39.217{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c909-0xb81d1028) 23542300x8000000000000000153338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:40.681{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBD42401D20843656FCA1A8D78C19D3,SHA256=B11C1279040F3B6750BD2EFAE0814B3F59B84CFF19FF0B0975A7A55DAAAC6634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:40.636{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62252ECD19E3E880E22FBBCAB2D660C6,SHA256=F66BAD92040CD90BD9276D628C6C38BD6150166E5F267519DEB43F92B2CDFCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:41.691{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB236DD3E190B2D885CA58FEE8323380,SHA256=77574266A47425FF781F65D735484959B5DD06E1697281ED7211B9C528F1FD2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:41.722{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6631F9112E266879255357D921E2E531,SHA256=4FA3559A7A1880C00BAD024E8A281CC58E03C4F791A6B30605ED0D7F6FAC9AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:42.694{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD93E302F403E407D24063CAF900F42D,SHA256=D378E0AE4FD66F92DA63EEE8FD0ECACD8232242AB39B74C43B74EF7A8187C09D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:42.812{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:42.812{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:42.760{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8240DED86F2A85EE582C872874C4F9D6,SHA256=E9B080BD822AEEDD442EBCD9B049830F8B858C07EA0B7F661CB2B0AD6292B259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:43.831{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677631BBBBD1652B101252D62B9E509B,SHA256=5A7AA7FDE68971B1EFBE166DB2254787FBD5D64D476A462D85CEDA037636E5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:41.527{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52961-false10.0.1.12-8000- 23542300x8000000000000000153341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:43.801{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4939616A78AECD64A77181366BC5DA,SHA256=0CA099914F3572CC16E77B32D174CF0DC84175541267368B4E9B121ED293DCDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:43.510{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:43.510{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:40.212{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:44.850{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB84C67E0EB05CEEDBB976913AD7A490,SHA256=1975A54D858530926A4AE09D15CFCC9193D2D1A93D525FB9BAAC0F87B3E2BB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:44.905{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41FD4D4CFFA283AAEB5198B42ADBA8A,SHA256=09FC03621076D148FFE3AE155CA8EDA5B879282B9EDC6D9FD1A52F5B9CD33BFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:44.029{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:44.029{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:45.934{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D1C16098798A245238603838C84D05,SHA256=FEC8EC55EFA46D6E20B77B228DD1F266167FAF373D0D003900BCC695E8CB2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.918{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1ACCC58D45B62ED1049124CBCBD87,SHA256=4006075924B87345D0BA54F77246850E6A74F29D62CB21C2ECDF4B514E8954A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.722{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.719{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.239{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.231{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.217{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.214{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.208{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.205{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.203{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.201{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.196{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.165{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.151{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.144{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.137{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.129{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.121{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.109{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.103{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.095{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.085{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.043{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:45.041{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.735{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.734{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.728{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.725{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.699{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.699{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.699{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.685{6820D070-D2EF-6322-0C00-000000007402}8483916C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.223{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762936460E8ED841B8C6C9313B34988,SHA256=4CBD7817ED50C6F7E298B8F5C8B47764EE1EE0FB777A44BEA06D735BACF2D154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:47.139{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-315MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:47.020{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B7D928595D43F9EA2BCB43FB3B812F,SHA256=B2C4C19EB4A8872299DF32A41D581CFE212A1ADD15C6720564404E8745EF2483,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:46.559{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52962-false10.0.1.12-8000- 10341000x8000000000000000153417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.442{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.441{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.439{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.436{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.434{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.430{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.416{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.395{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.393{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.391{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.381{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.379{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.378{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.374{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.372{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.369{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.368{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.367{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.365{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.362{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.356{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.354{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.335{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.333{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.318{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.310{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.280{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.273{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.264{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.259{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.258{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.255{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.252{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.249{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.248{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.244{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.243{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.241{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000153379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.233{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A1117C643D071027393A369623F762,SHA256=D2BE8EC1D2AB68743FB0E5272D50B68B3911D7D41A295D64D88B0EF35A891112,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.656{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.656{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF4-6323-A60B-000000007502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1EF4-6323-A60B-000000007502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.423{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF4-6323-A60B-000000007502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.424{E743DC12-1EF4-6323-A60B-000000007502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:48.071{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19278439125F8EBA4CC8610A16368C47,SHA256=013DCB19BCC3ADDED9FA2F6E1BDCFCD79DC2C1A29AF3D57FBBB26A8A4615BFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:48.136{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-316MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:49.308{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C2D8B52F1ABD5BD2F4633BD734BD10,SHA256=1CC128B19442693FB29C14813778AB182F91ACD2CBF27679003397B7E89BBC26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.974{E743DC12-1EF5-6323-A80B-000000007502}1860976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.778{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF5-6323-A80B-000000007502}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.776{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.776{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.776{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.776{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.775{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1EF5-6323-A80B-000000007502}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.775{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF5-6323-A80B-000000007502}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.774{E743DC12-1EF5-6323-A80B-000000007502}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.512{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DF3DE3525D723EFA15642091D3C092,SHA256=25CBE6AC16A3996DBC8DD2F56D36A84771CB956BF3492CA54669DA8AC904F6D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:46.042{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.140{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76167A3172A7F79E02E871AD5A934A91,SHA256=2B9A7A97D580F9F140B1525ED374748BE94B3A994E506292BA646A9D46814E66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF5-6323-A70B-000000007502}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1EF5-6323-A70B-000000007502}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.095{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF5-6323-A70B-000000007502}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.096{E743DC12-1EF5-6323-A70B-000000007502}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:49.025{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EE8C4C028318AAD65AB9AAB6AC441A4F,SHA256=B93208F5ED7A89C2B46956B5FF318FAF0A4AF63217589E8D3997971F2A10BE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:50.358{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E20BC246EE4A0695423A1B8EF18852,SHA256=100793821F2666D6CFE9BAC3FA1EA4EBBF1A2C28711C49673BF1D0FD5EF80156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.611{E743DC12-1EF6-6323-A90B-000000007502}32685632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF6-6323-A90B-000000007502}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1EF6-6323-A90B-000000007502}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.442{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF6-6323-A90B-000000007502}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.443{E743DC12-1EF6-6323-A90B-000000007502}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:50.243{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F73BFF0E7DF1A863C1FD20FA9E98A1,SHA256=70A42A4257543B739950C0D4C2302A7112BD7503DB98C6515D5A052F957E558E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:51.362{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B266B7EB4548ACFCA017D773E1D496,SHA256=D2E09701CE9E233F2E2550A127F8FAA37D62A234C191671630882624E94DCF74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF7-6323-AB0B-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1EF7-6323-AB0B-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.627{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF7-6323-AB0B-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.628{E743DC12-1EF7-6323-AB0B-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.443{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CE368489B1D3FC22E2E513158865297A,SHA256=1F07B4227ABDC3733CAD4ED5C376AC9E49F4934B758378A3A381B0B14A1270A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.383{E743DC12-1EF7-6323-AA0B-000000007502}51363548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.299{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B52CE802C1DC42D1ACB3BDF9CBAC4B1,SHA256=9DCC5F40E6321C7D08F3E64EABB5DDAABCBD0CD5390766CC9297B34B63CF9D85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF7-6323-AA0B-000000007502}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1EF7-6323-AA0B-000000007502}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.127{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF7-6323-AA0B-000000007502}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:51.128{E743DC12-1EF7-6323-AA0B-000000007502}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:52.367{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF79BD083ECA407AE703CA8E8A8924D,SHA256=644986257112533543F613C7A97901B32FFDA1D78CFE9E95F97EA23F1B1C9CD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.484{E743DC12-1EF8-6323-AC0B-000000007502}32843068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.382{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA9AB764231530756D7653F25C67134,SHA256=1C8B3C78CF1BFD94849B57D91FA40D4EA61FAF88AE87B1CC9913AD14605F4758,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1EF8-6323-AC0B-000000007502}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1EF8-6323-AC0B-000000007502}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.299{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1EF8-6323-AC0B-000000007502}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.300{E743DC12-1EF8-6323-AC0B-000000007502}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:53.471{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DDC419CCBD2921765E348B7D79AE68,SHA256=63270DE9841CA47680D107C4E6C6A5E911D8698BEA7AEFF426CEE763B296F25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:53.415{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C80DF0A7C9AAA2F0C335FDADC495C90,SHA256=70FFA47FB3DB276437CC776E74BADF1AC9ADE8960846E71C0DAD29771CB9BA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:53.346{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98448DCC3B4C802FC1C0A39B9ABC840,SHA256=E1028C1806541A6A2B4C74CC502BE48AF01A3785E92C20D8B38F19F6B7A2DD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:54.482{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322F161BD3BE8B16B367E4942E506567,SHA256=2BADAC8A668FC37DF998B4738A32015374027D0E7D680C5057689F3839FAE5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:54.382{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=73FEBA9C936C1FCFB6991ACBD4DB0438,SHA256=AD81115BF2E8A477694AF83AF5863B391684011CD26567899BF611FB80F18AA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:52.544{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52963-false10.0.1.12-8000- 23542300x8000000000000000153425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:54.476{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19CA5D27C5DE3A95231C03B528B28BF,SHA256=EAE20A84ACADC4BE7ADA5FA19248F7CE115B17331263A8F8C80798633620E239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:55.492{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D42355D9CE1236EEFC8E28D73B92601,SHA256=80B4D3D48A4EAF41110D9EAB6FC4BA7D0522461D2EC4FE070B0D5341036CF309,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:52.076{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:55.450{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0DFA9E233B20627A85F296FF4B0E59,SHA256=BF306F51081F0182057E024876B4C0EBB6C9AD463C1916458F65A7B97940A171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:56.774{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=F7C6ED7B409BD5AD4DF3AC73B6160B42,SHA256=F3F4B197000EAE3EBA9FF9A52C61114FE997C9C7853673BDC7C7B8496C95FC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:56.498{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1032812E33C9E9BE1185958AE6D29A5,SHA256=B771FA500FF7D6A4B4C7A8D963C6D331762402AD1E9F15FBD530F3C951C7888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:56.486{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D8664442DAA0C104CF2FDA9410DED8,SHA256=DBDF6B23CA743379386D228010FAB0E71E73DD76DC12B03A5D3702D1611E0587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:57.601{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D217BFA1776F6139ADC192AB745B629C,SHA256=D25984AC694EB108F0F1CA3824EBD302A5CCC65A472BB60041849748B8A1A96B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.997{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.990{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.988{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.974{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.965{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.940{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.934{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.926{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.915{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.896{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.889{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.876{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.864{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.852{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.839{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.836{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000124575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.539{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6B2C9360E0FC81C0A426C855D82F81,SHA256=8388D94B45EEB6EDF681BF036D5BCAC9B91532F4E598F371DCC409C3B2609F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:58.707{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029008B7A0209238B1B6338E48AB8597,SHA256=99529C91C463377B83561BEC76A550C93A569CD489EDA111275250A35AB362D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.772{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09656ED97D74A704E01F11307CE6A698,SHA256=9754B03F1E40E954D270D526D890F0471376F802D25BB128DB08876A77829D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.772{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0272E9A68661C436631BA96CB9822BE5,SHA256=591BAD9BCD6BA76C7D12AEA06474F03D1135DB331D1EF13FE5CB1C0FFFD03AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.187{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.183{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.171{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.157{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.147{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.144{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.141{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.132{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.094{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.083{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.057{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.049{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.039{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.034{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.032{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.029{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.026{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.025{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.021{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.019{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.017{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.014{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.012{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.008{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.004{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:58.001{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000124628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:59.817{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2157F063DB04462EAAB2C9DD666266,SHA256=88215AAF8AFF3C0F5DBC53D42AEC5DCC5A53592C2A7E99282B4345491833102C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:57.591{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52964-false10.0.1.12-8000- 23542300x8000000000000000153432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:47:59.810{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1740E5447BFD34AB03A4A26B0C0E045,SHA256=6F5B7B5E6A7E6BC4796B2F20CE5A50999B0C2B7BCF7570823E79ECC4B719C8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:00.877{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10F42103F40C39CFEB5B85F6F16828A,SHA256=6930DBB07F3081A1D8F79885CE076271FF968614E8C130765FA78CF0594DE186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:00.821{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9735E501A3CF303DA83331CB22BFF3,SHA256=CF53D1F5AD00A9617BAE05B9BCD7A65A02F63DC81969C1DE8B09135EF3FA1DB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:47:57.115{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:01.919{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D7F6471F252833EC321550192B31B9,SHA256=8F6ADAEB43EC3CABBD225B2D9F5959E4BC00D42BA2F8C509D4BA65CE8F9BCFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:01.926{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4B47773A1920A2405C75EB796AF26F,SHA256=48DDF754C422FC17A80F4E59A109A04A8CC7428342629298B60817068EDB5B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:02.966{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1578CAF907C8FD08B5DFFA8FD18C2DD9,SHA256=36E5A72EE446D013C9B017FC080D9D3DCB0083E7CD459BD857B4C84679A641F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:03.837{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF61A259BD111BA2BE3B6F9E6F2B1C09,SHA256=7D2B1C3D0A814156B3B71307A843F25CB6DB909C9AB20DDD52E7B95C872B2EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:03.031{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8003C759FCD9A3202653664C3721B571,SHA256=FE68E65644C2CCEF84A5B0D446A3807A923EF0090DCA697EB5AC4F487CE60F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:02.274{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52965-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000153439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:02.274{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52965-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000153438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:04.037{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B48997872B519E24C3AE96B87C3B1CD,SHA256=7758DEAD06B5531BBC10394DBA481C2F3534EA5122A0E5E5D776030E3BC2B4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:04.402{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=6486307DA38132178C82DB093EA7888B,SHA256=A2AD48B6CBD322CCC7C52C5E442CE88E6F214A9A5C4EC885CE8B6DFEDE634BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:04.052{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F24EE985774C13E7562151BAD53DA56,SHA256=333F3DE438E016CFD5DAD88582228A5C50022FC2B9ECFA03C0C9ABA26E8264A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:03.117{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:05.087{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF009BEF3E097A0C5A3FEBD023AF3364,SHA256=2A1B27A8FD54242C44CABF5515CF58E4BE3B0944BBB677DA9D19FCEC36A6C20E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:02.638{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52966-false10.0.1.12-8000- 10341000x8000000000000000153464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.715{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.713{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.287{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.278{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.258{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.254{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.245{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.242{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.240{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.238{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.233{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.208{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.195{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.190{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.184{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.176{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.169{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.156{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.146{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000153445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.145{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC0AC194784FE78209D233429963881,SHA256=6E3A85E3E95201FC7FAE209B0A9F9C0D5CBE9507F7C6D7ADBA2DC91C8EFF908C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.133{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.119{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.046{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:05.029{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:06.460{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:06.460{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:06.459{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D6EFBD54E9A0D3728C83D32750EF03,SHA256=EFE5511FEEDD6BCF3E6D262D7CE0F5247CB3621F0559D7750EB94A5AEB7200B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:06.167{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA539DC21C04306BE3577D2B0A7B983A,SHA256=84B31721ACAC55FD41298CF55C0308E73DE95B77B67DAAD0B3ABAA7B4169259B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:07.730{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:07.728{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:07.721{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:07.718{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000153469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:07.563{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A661397FB056DBED33641B60E71A46A,SHA256=899FAC62CA7ED1135C240241E4531675EDBBFF6E2D0DA992343AA04C0BEC2ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:07.192{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F1F17782E7873F9394FBC1112E0A9E,SHA256=261D3AD297251CA312FE1773E1C666A89594B45899A30FB2579E412ED106D90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.632{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4850D566E1AA6F88C143968C70365CF2,SHA256=B563C77A5CAE7CA5896AEDEA4030CF98113E8DC2918DCDD3BF3F7755EF208B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:08.234{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6842FC339C00A30B404BC4EBDDB6E6,SHA256=AFFFED01D1C54C9F043FBE5093AB1B682053FC4FA05DBD500C8899729003AA79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.528{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.526{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.521{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.519{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.516{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.513{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.494{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.454{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.451{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.449{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.430{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.427{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.425{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.423{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.420{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.414{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.412{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.410{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.407{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.403{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.385{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.378{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.346{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.344{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.329{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.319{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.272{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.265{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.254{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.249{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.247{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.244{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.242{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.239{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.238{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.235{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.234{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000153474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.232{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000153517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:09.797{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F732A11B1D593CCFC32C68B8828829D,SHA256=06A457FA3ED4BB68F08ABA48EEE689FD1F837DFC28663B19CDDF7E559BDF7F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:09.265{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7088D9176C04698215E12F375B4EDB2,SHA256=DF9042A5C05914B4A44A3809173FCC6D4E0F58AB8A6E501CA00808BED50AF8E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:09.725{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:09.725{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:09.713{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:09.713{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000153519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:08.530{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52967-false10.0.1.12-8000- 23542300x8000000000000000153518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:10.802{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F808EC349BB1392903B9D60BAE634B,SHA256=6BECBB0BC22582D964BAEE3C0ED3C2614DC48D92372EA3A31E9047702A87C162,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:08.241{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:10.338{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF365C529362F5E6FC629790E489254F,SHA256=323FF4DAF4B036C4557E245E7076025F5AA28FDBF1DC84FD25DCCA140D7881C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:11.907{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE00046E38459C22F977160EC422BE61,SHA256=AE5AE75A0CA945D4BCEF7CA195555593F1FA02424F66AA03C03FF0BF49D47E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:11.421{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A50800EB4BE48BA56F78C61BDAD552,SHA256=5DF15416DF7D0F770CF11CBBBC01AE3863FB363C13EA40079C2304F17AF41A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:12.910{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE55F13BCCB26474117DB7EC5F1147FD,SHA256=1AF45C341BAB7A2097ACD52D216D48E5F462403BEFDCF5953565BEC48552E835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:12.506{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D587ED6D40B3EC2DFE3BDF7BAC786C,SHA256=B0584B839AB9DC2F3D87B8910F13CC4E2FA7A114C37F722480A7D7A54B88B95F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:13.917{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74C38AFD900C5DBCA8BD672D0CABDAD,SHA256=8E76288B19A6EB8337715948BDAF61D18437CD724003217C92934086424E3BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:13.544{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDBCE22FCB91C6C3F7138AB270EA769,SHA256=01BA1888519F29D93B122B75108FC51B0F4DCD5C9B3075D816088749941755F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:14.593{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96232DBFB4488D24A2F2E1877BD05077,SHA256=574723B75D43A541E0A2DC48BCDA9751FA69C5A191D5CF5849E0473237C2C27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:15.679{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11762FB35800EFF1CBC8B8A8A013CB55,SHA256=4C6142E28E233B3B1FB34ACC349F0D9DABA9CC6C387D44D99C262C1CB91093F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:13.637{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52968-false10.0.1.12-8000- 23542300x8000000000000000153524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:15.752{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:15.032{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0ADBCD4CC39CFD3E8FCDB11F22236D,SHA256=1A4A30B4CA9D225A025A18135C4F4FAADE5BE4C1DE5916A979EC40761805E821,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:13.985{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:16.730{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5A66A4973FB0A750870A2D50CEE10A,SHA256=2D56C04BDB53D5B67DEA2F81919D94F4D79107407571964A5C9CC335DB21418D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:16.139{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B7A5FFE8D759AB7A57FAFE51937E0C,SHA256=398738F3C3DF74150F28302D90D2FF8D781AC401DC91B02DC572A62FAA2AD4E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:15.248{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52969-false10.0.1.12-8089- 23542300x8000000000000000153527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:17.242{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40B1624C5DC50E245A7F3F1C2D076F3,SHA256=FA6D327102B39C6D48EDAE61F2D43B1FEA0337C30FBACDF64625D09953027E3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.997{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.991{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.979{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.960{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.944{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.937{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.922{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.913{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.898{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.872{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.867{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000124650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.802{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D7B1A853FFEB51DBE21E7B3139A5AF,SHA256=BF142BF9023A5EBF290965045E59BFC1C5C919CF09A9FB05C3EBEE5D9E0E35CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.975{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.872{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C474D6797237E42D5968CF1EDA2E0FF,SHA256=B13FECC77118859759993CA21D935F4151158D8884917022D95A303AFB7A354A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:18.347{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F24489CBE999FE5847191A8DD5DE6DB,SHA256=EE537855477CDCEB4033D56B307136EB72625600DFF104D3B78284AE2BC10BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.387{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1406E1D340D3A3FDB92E2F6E3B9B44A8,SHA256=C448742C65E4B15194D62803690FD5622D979D27EBE0B342BBAAF4FE34AAE1F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.223{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.221{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.217{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.217{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.215{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.202{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.202{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.199{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.198{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.196{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.191{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.188{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.183{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.182{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.163{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.151{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.141{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.110{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.103{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.094{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.088{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.087{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.084{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.082{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.081{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.078{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.074{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.073{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.071{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.070{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.067{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.065{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.062{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.058{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.048{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.042{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.040{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.030{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:18.024{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000124704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:19.918{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E018DBAA37E2D9A61ECB5EFB514085,SHA256=ECACF3A0D54516683A93DDDE834C780BCC6C0738C88405194F818B20537E415F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:19.352{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF560941CBAB9F57E7B412B0271F308,SHA256=CA453F64744794F991775A1F9F449EC7AE5148D124B77337C0645D2AE56FC07A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:17.934{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000153549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:18.668{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52970-false10.0.1.12-8000- 23542300x8000000000000000153548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.872{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0E62EDFF033691F284F13D68A21E742B,SHA256=D625CBC634CCE04613786AEB8683883732A2F80441A0E6B04FADB6B477967B8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.871{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F14-6323-DB13-000000007402}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.868{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.868{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.868{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.867{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.867{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1F14-6323-DB13-000000007402}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.867{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F14-6323-DB13-000000007402}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.866{6820D070-1F14-6323-DB13-000000007402}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.362{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330E6AD73643D753B7A0B973E0549BDA,SHA256=91DB0997EE605F79F609566701EB9C0E21D2E5EF7B45A8169866BFE23A51AD61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.353{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F14-6323-DA13-000000007402}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:20.662{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8337AEBD2D95F86D04BA55536E9478AC,SHA256=B2CE84B9A1FE18D782B91A09E9D99271F222E5C8E3CF67C5848E479A01FAE470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:20.239{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:20.238{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:20.238{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:20.224{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.351{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.350{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.350{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.350{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.350{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F14-6323-DA13-000000007402}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.349{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F14-6323-DA13-000000007402}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:20.347{6820D070-1F14-6323-DA13-000000007402}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000153560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.700{6820D070-1F15-6323-DC13-000000007402}72885016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.535{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F15-6323-DC13-000000007402}7288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.533{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.533{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.532{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.532{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.532{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F15-6323-DC13-000000007402}7288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.532{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F15-6323-DC13-000000007402}7288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.531{6820D070-1F15-6323-DC13-000000007402}7288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.467{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44673F10CCA4D1EEF1C718E299A5BF65,SHA256=9FC27AFAFC0A72CF5599C96ED1173BE39F15A0479C7C538C5B813E62DE585670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:21.456{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3445E4887DBF9321A46959A9702B9612,SHA256=0CC5516FB9C064C5BED6C03D452E0B088D5FF95E510858E3EF8CCE865FE5DA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:19.149{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:21.008{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67756991A74C679C82851AA941E14A42,SHA256=D61F29946847ECC2A64958E40E90FD5B0149E81C0B57CD04E859E74183E3F47E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.984{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.984{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.984{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.983{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.983{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.983{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.864{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.862{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.862{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.862{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.862{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.861{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.861{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.860{6820D070-1F16-6323-DE13-000000007402}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.476{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2EC54C9F66DA561842696D0A2BCC40,SHA256=BAD6B6201F82AB691F499A7BC0627E07DC46DA0CE4257AB5FD9817220ADFDDD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:22.078{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5350EAD3E051CFFE85A6CCAC3D2B0334,SHA256=F986E1FBBDB89817341CF651004BE4BDDBE8607210395F60453CCD0AC6BF91CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.198{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F16-6323-DD13-000000007402}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.196{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.196{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.196{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.196{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.196{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1F16-6323-DD13-000000007402}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.195{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F16-6323-DD13-000000007402}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:22.193{6820D070-1F16-6323-DD13-000000007402}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000153599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.711{6820D070-1F17-6323-DF13-000000007402}78685972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.620{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F690359D56B07DAE714AE80FB2BBF11,SHA256=6B1A243B2E1F0007F42E7487FA6D73D21397C1C2920D8EBB02E3410161877318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.530{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F17-6323-DF13-000000007402}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.528{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.528{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.527{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.527{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.527{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F17-6323-DF13-000000007402}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.527{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F17-6323-DF13-000000007402}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.525{6820D070-1F17-6323-DF13-000000007402}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.489{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8D6118663D9835BBB9C098D88BE8EA,SHA256=DC49E15DF3B5E41EBA9B71EAA6CEF78E81381434F4051F61888FB2A91E032F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:23.228{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A38FFF4530CA926D390C3024327389F,SHA256=670A8A8C63EAF672F461F3FBC9176448307659708A9C4CE709CAC661B6A8B6A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.048{6820D070-1F16-6323-DE13-000000007402}24447956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.021{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.021{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.012{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.012{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.936{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.935{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.597{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68409E5E1EA3EFBE7668261BC558B4AE,SHA256=3B06C75C5F62BCCBDA935BE1EEDDD6F7E931C596C2CE51D96CB456897F11425C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:24.299{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D208687B0DF8FA828688BFE14C277D,SHA256=5058328B662D99F4A5317832D49038EEEA1C5ED4728AA2FBE8E48CD502EC2CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.400{6820D070-1F18-6323-E013-000000007402}72806212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.202{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F18-6323-E013-000000007402}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.200{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.200{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.199{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.199{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F18-6323-E013-000000007402}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.199{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.199{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F18-6323-E013-000000007402}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:24.198{6820D070-1F18-6323-E013-000000007402}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:25.349{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60895A977266DA521E6A5A3CF8E3484E,SHA256=E5BFFB2A9ABAC25BD6E04618C57D4356877B671F6B8D7DCBBAF7915A907B51D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:23.704{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52971-false10.0.1.12-8000- 23542300x8000000000000000153635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.709{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31558CE32857518576C21BA859B050DC,SHA256=93EB3D7A1E66DBF7B45A088D4C733E194BB45B786BACA11D89205C8C91964AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.654{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.652{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.245{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.239{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.228{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.224{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.219{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.216{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.214{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.212{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.206{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.181{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.168{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.163{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.156{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.147{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.138{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.127{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.119{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.109{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.100{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.034{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:25.028{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000124717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:26.418{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C916940ACCCF89B4B003129C8AB7C55,SHA256=B7D8E42210C303C74745BE5A15A3E72B977D41FADE756E2FFCFD1C7F20D23344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:26.715{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB8B461FE8DD5385849C999447CA5B3,SHA256=609A17240F5FE1D0F961413BF810BDA2B1D910F0A1C3E6533048F3A42AD9E26D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:26.320{6820D070-DD04-6322-7906-000000007402}26566808C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:26.320{6820D070-DD04-6322-7906-000000007402}26566808C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:26.320{6820D070-DD04-6322-7906-000000007402}26566808C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:26.285{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:26.285{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:25.148{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:27.505{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454093353EFD4E5A4D3B5EDBC3504E80,SHA256=F512B184E3616BE7DFE97FAB684B956907FA31B40C6AD13C0EDB9897F8D7441D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.917{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|UNKNOWN(000000000105182A)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(0000000013137DA0)|UNKNOWN(0000000013137B78)|UNKNOWN(0000000013137A16)|UNKNOWN(000000001313795C)|UNKNOWN(000000000D66F41E)|UNKNOWN(000000000D66EE59)|UNKNOWN(000000000101926B)|UNKNOWN(000000000D66517D)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413) 10341000x8000000000000000153672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.917{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(0000000013137B78)|UNKNOWN(0000000013137A16)|UNKNOWN(000000001313795C)|UNKNOWN(000000000D66F41E)|UNKNOWN(000000000D66EE59)|UNKNOWN(000000000101926B)|UNKNOWN(000000000D66517D)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365) 10341000x8000000000000000153671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.912{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|UNKNOWN(000000000105182A)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000D66FE00)|UNKNOWN(000000000D66F8BC)|UNKNOWN(000000000D66F36A)|UNKNOWN(000000000D66EE59)|UNKNOWN(000000000101926B)|UNKNOWN(000000000D66517D)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E) 10341000x8000000000000000153670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.912{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000D66F8BC)|UNKNOWN(000000000D66F36A)|UNKNOWN(000000000D66EE59)|UNKNOWN(000000000101926B)|UNKNOWN(000000000D66517D)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0) 10341000x8000000000000000153669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.912{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D66FAEA)|UNKNOWN(000000000D66F97F)|UNKNOWN(000000000D66F88F)|UNKNOWN(000000000D66F36A)|UNKNOWN(000000000D66EE59)|UNKNOWN(000000000101926B)|UNKNOWN(000000000D66517D)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000153668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.912{6820D070-14A1-6323-7F12-000000007402}78965296C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D6668CA)|UNKNOWN(0000000018301712)|UNKNOWN(00000000183011B6)|UNKNOWN(000000001870D255)|UNKNOWN(000000001870D177)|UNKNOWN(0000000018767091)|UNKNOWN(0000000018766EE9)|UNKNOWN(0000000018766EA1)|UNKNOWN(0000000018765D8A)|UNKNOWN(0000000018766C8E)|UNKNOWN(0000000018766AA3)|UNKNOWN(000000001876694C)|UNKNOWN(0000000018766557) 10341000x8000000000000000153667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.912{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|UNKNOWN(000000000105182A)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000D6677C6)|UNKNOWN(000000000D666639)|UNKNOWN(000000000D6653FF)|UNKNOWN(000000000D664F10)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0) 10341000x8000000000000000153666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.910{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000D666639)|UNKNOWN(000000000D6653FF)|UNKNOWN(000000000D664F10)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000153665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.910{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D6668CA)|UNKNOWN(000000000D666522)|UNKNOWN(000000000D6653FF)|UNKNOWN(000000000D664F10)|UNKNOWN(0000000003307497)|UNKNOWN(0000000003307413)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000153664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.910{6820D070-14A1-6323-7F12-000000007402}78967736C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D66435F)|UNKNOWN(0000000001014754)|UNKNOWN(0000000000C9FD97)|UNKNOWN(00000000010FD575)|UNKNOWN(00000000007AC947)|UNKNOWN(0000000000FFAE0E)|UNKNOWN(00000000007A6065)|UNKNOWN(00000000007A5BAE)|UNKNOWN(00000000007A5AE8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|UNKNOWN(0000000018765D8A)|UNKNOWN(0000000001118065)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000153663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.909{6820D070-14A1-6323-7F12-000000007402}78965512C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000153662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.909{6820D070-14A1-6323-7F12-000000007402}78965512C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000153661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.899{6820D070-14A1-6323-7F12-000000007402}78965512C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000153660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.899{6820D070-14A1-6323-7F12-000000007402}78965512C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000153659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.722{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9563DCAA05A6401F2193BEC369540C3B,SHA256=B47C44ED2CA5A10BA543401518D88EAEBD7D673CC6A85B2C60433745ABD35355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:27.257{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-306MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.688{6820D070-14A1-6323-7F12-000000007402}78965612C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000153657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.688{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.687{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.687{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.687{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.687{6820D070-DD00-6322-5E06-000000007402}34204136C:\Windows\system32\csrss.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.686{6820D070-14A1-6323-7F12-000000007402}78965612C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000153651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.687{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2HighMD5=4FC2BCC905D1FBE864BC21154C1CB6F7,SHA256=2355D7C89C599C8B1C34D3DF8493D3F1C16437E8D7D0CE228333B368C41D54C2,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000153650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.686{6820D070-D2F0-6322-1200-000000007402}965740C:\Windows\System32\svchost.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.681{6820D070-DD04-6322-7906-000000007402}26566808C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.681{6820D070-DD04-6322-7906-000000007402}26566808C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.681{6820D070-DD04-6322-7906-000000007402}26566808C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.667{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.666{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.659{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:27.657{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000153729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.805{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1BB112CB8D028B2357865ABD9ECEF4,SHA256=959DAC4E42B787664A26EDCDEF90B81D031C3B0D0573CC492A4CAD20AB39D8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.803{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9A665347FD361CB445288C0FB83DA6,SHA256=E5A394FABA7E30C8F195DE3D3C78C72E4DACCA7D26763BF3657CF9423DC1BF42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.802{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D9FF8542F58F37100F1B87CD003C821,SHA256=6BC7CA6BDDD198FBE9FDC827E3DB9C4FC2F5931F5EBB3B8E8A74AA849AE1E2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:28.557{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EF0187986E0E531E52430A54FBFDAF,SHA256=DC32392E6408045FBCD63E2F828A10A28FCFE943C84FC9548595A879D8EEF7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:28.279{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-307MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.707{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000000FF957B)|UNKNOWN(0000000000FF9501)|UNKNOWN(0000000000FF9475)|UNKNOWN(0000000000FF939E)|UNKNOWN(0000000000FF92AA)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000153725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.575{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.575{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.575{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.530{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.442{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.389{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.388{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.385{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.383{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.379{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.373{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.359{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.334{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.332{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.330{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.321{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.319{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.318{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.315{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.314{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.311{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.310{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.310{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.307{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.303{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.290{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.284{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.263{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.261{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.247{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.241{6820D070-D2F0-6322-1500-000000007402}12521468C:\Windows\system32\svchost.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.241{6820D070-D2F0-6322-1500-000000007402}12521316C:\Windows\system32\svchost.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.239{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.213{6820D070-14A1-6323-7F12-000000007402}78967736C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001317331A)|UNKNOWN(0000000013173120)|UNKNOWN(0000000013172C08)|UNKNOWN(0000000013171EC4)|UNKNOWN(000000001317143D)|UNKNOWN(0000000001014841)|UNKNOWN(0000000000C9FD97)|UNKNOWN(00000000010FD575)|UNKNOWN(00000000007AC947)|UNKNOWN(0000000000FFAE0E)|UNKNOWN(00000000007A6065)|UNKNOWN(00000000007A5BAE)|UNKNOWN(00000000007A5AE8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000153691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.210{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.203{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.194{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.189{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.188{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.185{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.182{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.180{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.179{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.175{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.174{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.172{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000153679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.103{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.103{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.103{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.102{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.102{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:28.102{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000153733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:29.911{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A4B907E837BA1B8F783CC2EFCB0BB5,SHA256=A79AA583E4474C7D78C3C5E662B2BDB588555C83126968BD39416B1091E0DFA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:29.594{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5D250282238D29F6F0E09787534362,SHA256=00769B466ED0DD31F66598065F59A0FDA5A53520FCF2A8553E1089595591C63F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:29.778{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:29.778{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:29.754{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000000FF957B)|UNKNOWN(0000000000FF9501)|UNKNOWN(0000000000FF9475)|UNKNOWN(0000000000FF939E)|UNKNOWN(0000000000FF92AA)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 23542300x8000000000000000153734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:30.915{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A969A57477ABF5C94662B7B2614C8B22,SHA256=F901FB236BE6E968D3E620ECE194C323BE9EDA94FA9D05A8E38B5341990A50D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:30.643{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73FAE27BA7D45ECAEE58CBCAF832C83,SHA256=ECBE92E37A50F734F081FA69910582DED21A733D41A09BA97D5B95344C296671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:30.260{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=246BE5FC37524B6C29E21C4992DF3A09,SHA256=2818EDDABB0D7ACEA143CDC50D86214C4F61F7944405E735AE32482B3ABAED9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:29.563{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52972-false10.0.1.12-8000- 23542300x8000000000000000153736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:31.920{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1EADC2699E2AA9F0846928C86E75BB,SHA256=773A84557885209D719250A34BE6FE646B14A1EA1361875F149687FFB45C1A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:31.684{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9571B3CF55D301AFF382D04F41AEE5E,SHA256=58DAE194E7957163C0DC4026656E33EA6744D8BFA0557FFCEDFD8662149EFFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:31.122{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DD900804169C0316282CA4F70734C9AD,SHA256=0B86BE081F26EA1CD185905C63D12B39EDA97669EC487068F117EA15A0F5323B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:32.924{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86964B5C32135BE11B6DA0BCF458DCD4,SHA256=1C26CACD97645834BFF766051978045D92C4B4094F17B0964DD7880CF36BC721,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:30.187{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:32.745{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBD99812D946010EBE6CB7D3C0BF22F,SHA256=8457FA7B6E4B84C7A20F2AEAB5144A9EE8249C5BB6375EBDF8B06E452F6500A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:33.928{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE421A27AB70AB622DD0FC1810890DD,SHA256=BD049FFDB0B7F52EA2E3691B663A1536C2903CD767398D99A35D96D550E72FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:33.832{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD578FE216DB1D8346FDB9DC550DA77,SHA256=8B5E6CB02D4D0D0E152CB13249E47BE7D479C3194587D8A3D268C95CEDDFA3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:34.935{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E61EE955C0848FAD1D020898179FADF,SHA256=A5E7D094CA657CD5FE95F0CF8537CE76A668B0876507D25592B0181FA4E33B1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:35.558{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:35.447{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:35.032{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272B34507B482C57A7DF4C795C3D1CF3,SHA256=EEA8F3D969E340C2C95E8B1A83F2C1872076C3F6A3E74D0D48968EDE4EAB5BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:35.088{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61814- 354300x8000000000000000153744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:34.663{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52973-false10.0.1.12-8000- 23542300x8000000000000000153743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:36.038{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028041257B43A23A8F85052A537174D4,SHA256=E8E0F734F167E2124B4E48CCEE19C08A457389DC676FE8553D31D33BB258A939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:36.017{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA32B4066CB122320B1166B79CDEFDC5,SHA256=873A2A31A7BE5E54AF722881B6AB048ABF7575B61DEB88120ED0D2BA581AEA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.982{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.979{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.965{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.957{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.931{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.924{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.917{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.907{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.888{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.874{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.865{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.854{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.844{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.835{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.832{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000124732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.074{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EBABB8F0398A7EE4B80FFB60C6E88B,SHA256=11454D0B51C3BFBB063D954EEBBDE004595A3C296C9532B2AF9D02BD66ED7896,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000153747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:35.602{6820D070-1F1B-6323-E113-000000007402}5728grkmae.com9003-C:\Temp\agent_tesla-deob.exe 23542300x8000000000000000153746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:37.044{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAA50934FB46CB7F531EDD103998B08,SHA256=F765B05B941D694CEEC5829CEE8CD87D4FB731765D95B6D0979D96C205FC0214,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000153752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:48:38.687{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exeHKU\S-1-5-21-2725908065-3830167236-2451934224-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\%insregname%Binary Data 13241300x8000000000000000153751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:48:38.687{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exeHKU\S-1-5-21-2725908065-3830167236-2451934224-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%insregname%\%%insfolder%%\%%insname%% 23542300x8000000000000000153750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:38.681{6820D070-1F1B-6323-E113-000000007402}5728ATTACKRANGE\AdministratorC:\Temp\agent_tesla-deob.exeC:\%insfolder%\%insname%MD5=4FC2BCC905D1FBE864BC21154C1CB6F7,SHA256=2355D7C89C599C8B1C34D3DF8493D3F1C16437E8D7D0CE228333B368C41D54C2,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 10341000x8000000000000000153749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:38.652{6820D070-1F1B-6323-E113-000000007402}57287132C:\Temp\agent_tesla-deob.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000075513C7)|UNKNOWN(000000000832BDD6)|UNKNOWN(000000000832B6BD)|UNKNOWN(000000000832B56A)|UNKNOWN(000000000832B394)|UNKNOWN(000000000832AA57)|UNKNOWN(0000000007B86E44)|UNKNOWN(0000000004C8E8F3)|UNKNOWN(0000000004C8E8B1)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll+1b6c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll+1854b(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll+205eb(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll+2061e(wow64) 23542300x8000000000000000153748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:38.149{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EAE2CF270C2184CAD4EBE9709CAAB5,SHA256=55D2EB981732013D89A369999F6D71292C873BB8B0CC4EDEB0E1E87509509B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.693{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49550C5560B37A22F708116E9A37B74C,SHA256=4E4C5DFA88513F68F1C213BF2456F4CC17A0FD1BE413EDF8B2AC248EE728485D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.570{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256C29A980A7E3ECA7E5259D49C1A074,SHA256=852A67373200D0C3A41D238B80D316F6BAFE41305213429172B3EA91FADB9B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.171{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.167{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.164{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.162{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.148{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.148{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.144{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.140{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.136{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.122{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.118{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.117{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.099{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.082{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.073{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.053{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.046{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.037{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.032{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.030{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.028{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.026{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.025{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.021{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.019{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.018{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.013{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.012{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.009{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:38.004{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000124749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:37.999{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000153753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:39.254{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093A361A9AACCED702F887F16AC4E34A,SHA256=DE594F21E5F6B5E0767DF793DC335B0F0EFDD784D49A550DE54E318B54332B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:36.167{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:39.175{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99050594C8FA0D629F002116447A944,SHA256=688E77FF288BDC98DB8F57F4438A7E6E52FD816AD01552F3AC7B66BC5EC00AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:40.270{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B79B311F65AFE66F69A3329F163BEA9,SHA256=93A9B1829E58996009399EBAE66E200D5C9BEFF96C3967EE8EA6508CF6847840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:40.844{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=318714D801B173D774D727D9146372F7,SHA256=94265109CC705B79D1273DA455357B0056F1DEC428EFA11965A25E1BE8970C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:40.261{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80509B7CC3EEF83C6879A0588F8F89F,SHA256=C6188BDD9921C939781AA3A00E0C2013B7CF66625F64B88CB8CC75762B92C4F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:41.355{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F758AE7E8A23FD4C62FFCFA011A928CF,SHA256=3392F66800794D1075A39187D4ADA30D86A4BF138A17EF6D5C66DFC4DCB37997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:41.266{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6D8332D76160E6478B763895468919,SHA256=6C1E37B3200D5C215B4DF2008EDCA75681A01D6DEB7DDE3C9D6CEBFFB8A86680,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:40.588{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52974-false10.0.1.12-8000- 23542300x8000000000000000153757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:42.278{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2144E289F7C71AEED478A17E6CBFD52,SHA256=3DB30E58A3A6D7BE91BF0C2719F6D556C93C0AE87BBC8D79A83973BFED064231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:42.397{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACDA824901B0F2B1797AE2FE926FF74,SHA256=DAF7874C53F5140B7B8C5653EADE90228912BAD0E38BC36F84913E9CA0A2D21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:43.390{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5B76B27AA201114C26DE6735FECD91,SHA256=EB5B3EF0AD54BCB43D0C4907A4019936CFD5E558F58D0041DF08F62A77E26C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:43.459{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314359295C56EABC9D6B5A2C7F59D9E2,SHA256=16DD5AD1141FF72478CDC0A1F593C947560C9C4954A067BB2A236AFF64F1199A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:44.531{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B93398C022300FF8EEF2615DA40429A,SHA256=CB41B07D4F51E4432E8F0B9D0D1C72A6EC543032108EC1629E27C86336FC81A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:44.400{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE2ED3CE0EF99EC0B6341D369132568,SHA256=2C64DDE5E4B93E283EBC78CD96B020AD2696F4A5B7A59D64B46A9942823317B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:45.584{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF50547440AB06D303AA30C086500AF3,SHA256=8D5D8166658EE49DCFB534C5D72A43F60EFDA64C4EC76696D21320C9F5511259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.765{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.762{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.414{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D6EEB845213AE29F42FEE277C0F0B4,SHA256=FE9F6C5B0AB5F381C1576EBC5F44BB91472711987DCC0725AEBB00076874BDC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:42.117{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000153781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.262{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.254{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.237{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.234{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.229{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.225{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.223{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.221{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.214{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.175{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.152{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.147{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.136{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.128{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.120{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.110{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.104{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.095{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.088{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.047{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.044{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000124795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:46.890{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=0384A813570B4AD45C4FAFBCC6446CAF,SHA256=B67E18FDEA763BD613E48B8CF014F58DC2CBDBEA2B035AA5A7626B6DABD252BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:46.684{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9617C4E62359A96AA7BF2B6A0D53CFD8,SHA256=A719447D48115D207CCEBB6CEB3B5A32787E99C5B23A6C682646F62D01D256EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:46.519{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE1018691F3B816E334489B68419E64,SHA256=2AA68C7C4EFFCA266E6C213BA94B2048312408AF59D4F8ABFF7E9B1BFF644C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:47.767{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A72E035FB21A8D40BD3DB25EB6B011,SHA256=FAA10768F7F3C7E3E314656204914C2D5176B2ABF6CDE1DEBF303F147845D1E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:45.721{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52975-false10.0.1.12-8000- 10341000x8000000000000000153791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:47.779{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:47.778{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:47.771{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:47.769{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:47.685{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000153786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:47.624{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11077B5E338E583B374C9FFFE52F5153,SHA256=F63BAD2C3D9190D730B090CD518A90EACBD8C0F6FEB127BFDF6620BA4CB7E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.838{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F921FF4E1B76FAB96B35164B916D87F5,SHA256=A1E6EE5B7E881D72F4CCD302D7A264706B1FE069977AD2ABCF6EC37F1A1AE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.909{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE98E30851966B72288C5B5AABD5294,SHA256=9B1420FADABB43FC141665FFE291665DFBCCAB5E483A3A31545CE775B980205A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.664{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-316MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F30-6323-AD0B-000000007502}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1F30-6323-AD0B-000000007502}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.436{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F30-6323-AD0B-000000007502}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.437{E743DC12-1F30-6323-AD0B-000000007502}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000153831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.512{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.510{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.509{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.506{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.504{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.501{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.498{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.485{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.462{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.459{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.457{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.447{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.442{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.441{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.438{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.434{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.431{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.430{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.430{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.427{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.423{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.415{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.413{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.391{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.390{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.374{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.364{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.330{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.322{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.311{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.305{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.304{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.301{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.297{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.295{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.294{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.289{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.288{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:48.282{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000124825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.968{E743DC12-1F31-6323-AF0B-000000007502}46441908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.893{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8328930AEF7806C532688777C69D62A,SHA256=BF0331BBE78CAD83E644C19EC899E8820586CD49DD6340A9B39F23A8C00ACDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:49.757{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1128EAB214F33C9E4C898A9373115F5D,SHA256=EFF68C50A65F464B3C8635D57270650B3F44ED4F30D7E2CE49207EB3B81352B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.789{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F31-6323-AF0B-000000007502}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.786{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.786{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F31-6323-AF0B-000000007502}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.786{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F31-6323-AF0B-000000007502}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.785{E743DC12-1F31-6323-AF0B-000000007502}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.541{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1EDF5FAAE7C0BBAD07A2BD8FC94B27,SHA256=F50F14C7904C2E694575630514B60F94482616E13CE0D6735891B559FEE337D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.411{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=01328A350DFEF24F97AC4F96482EB194,SHA256=F6D5B824A18319726540EFF6988FF401B633088E97A2A838EA9FA9882061842B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F31-6323-AE0B-000000007502}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1F31-6323-AE0B-000000007502}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.108{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F31-6323-AE0B-000000007502}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:49.109{E743DC12-1F31-6323-AE0B-000000007502}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:49.646{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-317MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.991{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07990BBD95CDC5E0735E6870661099E5,SHA256=BE486A9DAA25A72DF62E8DB34FBDCCF7AFE56BEBE3C328654004BA33A445AD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:50.762{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D29F5A645562075F8E5964A3B92E1F,SHA256=DCE12120F7D41EB7D5582C2DCD52F13272C584C5BB1A2C47DD5F324AC5C4CF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.839{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=01718BF2447086EBBBCA43538B99149F,SHA256=49E3628FE2A555F175E37AA4C9208AC94A49A4E361E08B95C3B9A996BEEF6C06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.638{E743DC12-1F32-6323-B00B-000000007502}56684740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000124834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:48.012{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000124833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.457{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F32-6323-B00B-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.455{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.455{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.455{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.454{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.454{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1F32-6323-B00B-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.454{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F32-6323-B00B-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:50.453{E743DC12-1F32-6323-B00B-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:51.767{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A717883A56247652B48339760FC917FA,SHA256=2159913AAF6BF5FAE11A33682D4FFA9860202DBEF467B37C924AB6D7AA047F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F33-6323-B20B-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1F33-6323-B20B-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.811{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F33-6323-B20B-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.812{E743DC12-1F33-6323-B20B-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000124845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F33-6323-B10B-000000007502}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F33-6323-B10B-000000007502}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.139{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F33-6323-B10B-000000007502}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:51.140{E743DC12-1F33-6323-B10B-000000007502}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:52.771{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72270BEAE69813E77AF3D3736BD480EE,SHA256=6B16D588663291D57815BA78CADFBF50CDA1C198EA410C10FD3EBC456C00125A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.476{E743DC12-1F34-6323-B30B-000000007502}61321896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F34-6323-B30B-000000007502}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F34-6323-B30B-000000007502}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000124857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.312{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F34-6323-B30B-000000007502}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000124856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.313{E743DC12-1F34-6323-B30B-000000007502}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000124855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.095{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B69E71303FDEFE7164305F81F537CC1,SHA256=99CE0E373D512FEE485BC98CE38B78E1C36CD4E0561BFF98CB7C0444F366DB22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:52.055{E743DC12-1F33-6323-B20B-000000007502}54963524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000153843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:51.516{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52976-false10.0.1.12-8000- 23542300x8000000000000000153842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:53.830{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F5849C53DC7290C153439B2D1061ACBC,SHA256=D0E0935CE2939BB38C514420C0F4DAA0D081CF01D9F96F04F58E345D821D26A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:53.778{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB12BDCE3FDB754CD3FEFA924E1667F,SHA256=94C592B9E57373480DA87A3ED3D10E1100B62B7542D9E286524AAC101EC78966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.373{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.172{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711C02EB1A92459937B1353366B1F8B7,SHA256=E1E9E7F50434E36F041B44553D27B4A3CD3152FE55599171A212B3A9C269B900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:53.280{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:53.280{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000124895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:54.544{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C46BB16CC32C554CD1EFFCA16F9636,SHA256=D0F20EDE692488F60048D87C4758A5CAADA3EAB7F5DD8968E0B9CC72084A5675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:54.884{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902D63F7DA476944EE6BABFBB377998E,SHA256=9FD9B70EA15264C0BD6B4CC5027EA4E36E47A8A164B7820C5BC27D64B0C38348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:55.889{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60AEEEF4461088567F49FD9EBF12485,SHA256=059DC42A77E86E98E4EF0DAE03B823C02562EA74B0C8C4D596680FED42ACD921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:55.615{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D46DDD265025E2CB0BB1350ADB4DF0,SHA256=AC6E3E40298418F5344355EB187DEE66C929B1783BE2356F0FFBB6AAD56B019D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:53.167{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000153846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:56.894{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7431A4C7C0E5652567AA920CA1F26E7B,SHA256=A5C24B18BABA37DEB015B38A58023259CDFB33296DB633C7184C8C3979EEFFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:56.946{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=5C534F6BF6365A3AB8DD6C14805D32E0,SHA256=2CA37423AD4A312A5EE40038B1110677306D014FD11372097EED86FD317606A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:56.676{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86747EBB61B0771BFF04A1E69ACE0A1F,SHA256=5A1B90F3D2ACDC726885E7F43CAA0D1C846C8F253C93B27EFA6DCE8086539A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:57.898{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A225B61F2E19BB40B593AB5BBD61B6FF,SHA256=A7ECCE22CDECCCC2DEACDEF2FBF5F58569FE3B2D168B1023E292829C243A2881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.964{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.949{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.924{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.916{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.908{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.888{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.878{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.873{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.865{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.856{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.847{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.833{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.830{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000124900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:57.719{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66FB54B9B6BB46C9A99364CF3E5BF83,SHA256=DA0174BF4968F61518447749BABB9D90F315D3DA031088C5A95F28C53A61519D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.801{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE478DB64EA511EFF054420905735B9,SHA256=B99EC72777377A13A084195480911F6F950A6610E9A66698330A9A7DB3963C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.383{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118D12A8F19E0B4BE05BEF60DD67A347,SHA256=67E078835329A3C6A365ED45745C0F4E03317B2C1607A8507330BBF2487B61F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.217{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.215{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.213{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.210{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.209{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.198{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.197{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.197{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.194{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.191{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.183{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.180{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.171{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.142{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.134{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.114{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.104{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.094{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.086{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.084{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.081{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.079{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.078{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.075{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.072{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.071{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.069{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.068{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.066{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.062{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.048{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.044{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.038{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.016{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000124914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:58.011{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000124953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:59.855{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0995E5706D9D17BB9EA47AA2B924A036,SHA256=5F711E39FD4E4C7A890E048BFEF8AB4D02504B703CA924EA406857411AB689D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:56.534{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52977-false10.0.1.12-8000- 23542300x8000000000000000153848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:48:59.002{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE1FCBCAC4838106129C4CC48A54310,SHA256=0F6841EF8D894F50F3E0E48B23F43E0694ECEF5A630B6D33AB465E12FB71BC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:00.926{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E87FD5CA5900C7A859A0A450D4A09,SHA256=538B8CDB847C97833B87C7A4012F9AD84FE98EF2510727EC9DAA9A8B592FB7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:00.013{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E969EDD56E5A392B93EAF18427A22F,SHA256=CFF6BCF79F19D6BFDF4F762E476D8119CE80EF1158E286AAB176E20EBC803443,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:48:59.059{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000153851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:01.117{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C412F3307BBDF4447B7DBE383890C6AB,SHA256=86349CE444E21F8ECE8EEF64B3BB79FFAC43B928C27C512D4614B7C7711A3ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:02.123{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF3510DD78BD35052AAB9BE8B26985D,SHA256=30F7228C54F5F69654799AD3CEEDF4FBA60FF1E149E75D627F9E596F14828378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:02.040{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5B759FA3E96CA181C5F7D33DBDBDCF,SHA256=AF003CEFB0DFF0505DC272DD862A52A442BF3DA0115DA347A1C86358A381F9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:03.105{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE751E59D2C2C4F2B87F49ECCB032D94,SHA256=0999EC7FD1D8D2B0875B14F55EC3D66A46ECABFE5370CDE8E38E6B46A081149B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:03.822{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13126068D7AEB998763DA71E476BF268,SHA256=0104080D3C395F29D3C0F2092DF31351CF937C02457D4B57C418E739933DC302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:03.331{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D94B72CAA6B6EB381AF83391F711FD,SHA256=0321B336BDBFC8F789EE23A68B23AD1598DA787F4632651A3FD6FC7B7C61DD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:04.337{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513DBDE4C2B4413B0E670BAFE693FD2E,SHA256=672C9E3BEE762A78C6259C0541CA4BBC2B984EB01EBC2CAFCEA525F9391FDDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:04.129{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156F1CDA6F4EE7E63B0C6D35E1C35315,SHA256=2BAB6A42141E3DB49DFD72FC311BBB60D7EE51B1AD543FA94527A64C94EEF9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:02.274{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52979-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000153856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:02.274{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52979-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000153855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:01.600{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52978-false10.0.1.12-8000- 10341000x8000000000000000153882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.726{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.724{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.348{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A7D58DBCC6DA28B594EADB9CA9B44F,SHA256=FF96F173F6C367BD32F8C923C1CFFD4C3002968EF6362C5900544B570896A6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:05.174{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89E16A04CB56C696583D8A790B66A63,SHA256=084560DA0B89F6CAA81025ABC27EE2A8F011E05E867EE809474A8A166DE231F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.246{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.240{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.226{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.216{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.210{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.205{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.202{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.199{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.193{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.163{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.151{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.146{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.139{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.131{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.117{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.103{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.095{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.079{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.071{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.029{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:05.027{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:06.454{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89ACB6D778D860D253362DC1334726D,SHA256=02BA9C753B4F826E90B5B6777661D896DB8D65D16E11A6E924503C45FD9AAF2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:04.183{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:06.261{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACA5B4583F09B9BD5B38A01121B4AD3,SHA256=6E30F6401690E0FD1239960CF9F0B83F2E506CF41989C93887377F6860635217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:07.736{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:07.735{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:07.731{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:07.729{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000153884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:07.561{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420AA03D8EE5039B404CE397CD18BF0E,SHA256=458B9C924F074D8DE4DBF3D3E8F81F08F7EB71DCC49B4265DB62ABC826C795DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:07.362{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDDC6DB81415B2FDF3FA04CD96425C5,SHA256=687C24471489B543855FEE34A7F69AB3730637701231AFDBACFA3A131BE728DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:08.434{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC143516489A7B33E929C77E52BD2D0,SHA256=DBC094B80206CFDEA8F16D9A26831B521AFB57A18AC3AEB57E25FEFF73BCF3A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.486{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.477{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.476{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.474{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.472{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.470{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.467{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.454{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.429{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.426{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.425{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.414{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.410{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.409{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.406{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.404{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.401{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.400{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.400{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.397{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.394{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.386{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.384{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.355{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.354{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.334{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.323{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.283{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.277{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.264{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.259{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.257{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.253{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.250{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.247{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.246{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.243{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.242{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000153889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:08.240{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000124964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:09.495{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A31D1AE5195E543C1877BDDF174061A,SHA256=D225EB903436D668B4B77D4C427E993A811E4F8A165CA461BD8AA308833FAA23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:06.626{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52980-false10.0.1.12-8000- 23542300x8000000000000000153928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:09.030{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D05BA3218F8A89D88B26EA8F811D2A0,SHA256=1E1991BE6C401E25903949546F007B9C36419EBED1FF4C99EFD232B27CB9DB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:10.598{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B10634FB9BAEED23421E3EE50102DF,SHA256=78E868D660F6221E9197D9AB6D8FB4791ECE433D0423F617692F7DA09DB4E875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:10.101{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E0DDE11C4BB2D20F7F25518BA4FF39,SHA256=A706A1D0BB07CED27CAFFFCF20EE02F1874B25CD082A6DAA5701185B5B1BF961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:11.668{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AF3D9B25DC28DC89EFCB2742F4FECE,SHA256=218FE9ABF71C3050262C108DAAF57DECF7136DE7576B4DC1B02E6F1AB5D8A4B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:11.533{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EC-6322-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000153931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:11.107{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C201C8AD70F74D80FCFB243386B8E1,SHA256=05BFF8C5BE3550403863F6E33E9A994DC36DAD5E50CFDE0F7AA59AE7C34515F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:12.719{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CA7728F504C65AD9AA95F677C2ECAE,SHA256=FE43257C2409EB25994D5F57DEEB4A358ACBFDBBCDDB157B70B14BC2FE1028CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:12.565{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49030E11436D145DF90093CBECF5506C,SHA256=1669D57252DBF4E9D145C2312C21D0CD479BB8BF32678AC163F41184E48EA9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:12.117{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED004D1B335B3A2F2A217E995936A14,SHA256=39A240766EABFA181DA3776E757122C04968F3D2902D49FDF2F0035D10F6D817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000124969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:10.114{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000124968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:13.787{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C89DAFC6B6B99E4B3B70A080C307D0,SHA256=8D63DC30ECA168C3CAB53DF82A2A2443C6A867DEAE5E1935423F9CA1DCEBD0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:13.223{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4179A99D0F9D507D76BA800EC98E663,SHA256=D12E4EF94FB0AAEB893C0709A1487FA2B8A3B8A967E0395FBD36FFB2B3429D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:11.040{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52981-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000153935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:11.040{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52981-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 23542300x8000000000000000124970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:14.872{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA98539595E5B09E71286D7D310FFCB,SHA256=0BE388B270C51EDA9C7DE0AF19816ABC9C74C6AF75D4E4FAA9231B49C8A8B6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:14.530{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447DD9836B6D48BF865676C6B298EE12,SHA256=9FDC3DD5BCE507A8539A4059C850D12A1E387F6E13E8299194D87F326311F68F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000153938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:11.653{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52982-false10.0.1.12-8000- 23542300x8000000000000000124971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:15.945{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6EB729C91AE66743673A225EBBEB53,SHA256=436EDF04D2457A2D36673D353C9DE8BB7777F80F50786E5F73D464DDF59E8EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:15.770{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:15.637{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87024104BB90B788B08263E5B121C93,SHA256=24F905383A72E4391B14394345DCB377E20B598E9FB61F73CA576EDF90EE0578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:16.844{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E970381A82E15E341AED87B17A3A99C6,SHA256=05D26E7D77BD818D1FDFC33E0D009F422409ECC1BB3E0D4C3EF4E19B093B2AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000124972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:16.990{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14C88AC339C08A7B4E42F51F12FCD09,SHA256=2BA3DCDA29DB920F0B0F5F3B9EAAD051B74A80AA1CEC8021C24EE6D525E3BDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:17.952{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE056A065F21302CE4D0F5CC5B83812,SHA256=DD757DBE783DEA7B9A9187A205702A2455398F0376D847840C557729BFD3BA9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.998{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.993{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.990{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.987{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.984{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.977{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.975{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.962{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.954{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.929{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.922{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.913{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.905{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 354300x8000000000000000124980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:15.132{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000124979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.892{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.882{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.873{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.861{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.851{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.843{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.840{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 354300x8000000000000000153944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:15.264{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52983-false10.0.1.12-8089- 10341000x8000000000000000125024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.200{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.187{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.183{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.178{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.175{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.156{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.155{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.155{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.151{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.148{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.145{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.141{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.132{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.130{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.114{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.102{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.091{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.059{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.053{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.042{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.037{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.035{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.033{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.029{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.027{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000124999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.021{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1EE5E71E9658B39C5162CBD918447D,SHA256=00EF3A78216C3F2D31748D81DEE579AB188A66D555065308262923F6968CDB55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000124998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.019{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.013{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.011{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.007{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000124994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:18.003{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 354300x8000000000000000153946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:16.734{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52984-false10.0.1.12-8000- 23542300x8000000000000000153945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:19.057{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EA0F290D5107FBE9AB84222FC7A65D,SHA256=81F65E402B9BF4B9B55AC5483B7C3A6F0CBB3BD2D7D6839DCD05C24E4D8968E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:19.124{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C17AD0D389745D059523B31918D77E5,SHA256=1FB1BAA7C9429E95C693BF740BD1C34FA0E6B1D9A2F80570779E9ECECD85F2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:19.000{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:20.878{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3B5211783E254DD02130F08903092727,SHA256=944472CB131D9AC302E374AC9ED5EFD1644CA5B1250710E3BE7A4D2A2BF54D91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:20.241{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:20.241{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:20.241{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:20.227{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:20.032{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D7E833E18F3688956F769D239F79E5,SHA256=5A30A583AABD217154D6F1A55FF6EB66D2CD1EB8660B19E49F8ABF9339C83FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.889{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F50-6323-E313-000000007402}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.887{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.887{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.886{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.886{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.886{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1F50-6323-E313-000000007402}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.886{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F50-6323-E313-000000007402}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.884{6820D070-1F50-6323-E313-000000007402}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000153961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.274{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.274{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.274{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.272{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.272{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.272{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000153955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.223{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.221{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.221{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.221{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.220{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.220{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.220{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.218{6820D070-1F50-6323-E213-000000007402}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:20.065{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DAB0B7F1B91931F69E63042E9412075,SHA256=746C459E14C9C5C155EF8B53343811493FF49A02CAEE1F38076DD22570AA8BA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.758{6820D070-1F51-6323-E413-000000007402}18446312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.562{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F51-6323-E413-000000007402}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.560{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.560{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.560{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.559{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.559{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F51-6323-E413-000000007402}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.559{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F51-6323-E413-000000007402}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.558{6820D070-1F51-6323-E413-000000007402}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.557{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=835197003B510E1578FAF82372B62C1D,SHA256=7FED9D14D74E75097F451F7CE6B1259D65E9050D6B4BEA75FA785ECD9DE7A49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.310{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4EA0F73A2C6398CF9FE52D930C74C4,SHA256=44EF74E2D2608BCBE3E92B6257B0FA8557FB2BA1ABF085F24A7C2FE1176C6092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000153971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.177{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD23B5A450EF933CEF61480DF70752E,SHA256=1D8F58F71E314309C8E3F59333D6C9872B45FB5D50D848127E7AD41F1FF198FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:17.957{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53687-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000125033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:21.062{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3B75299DFB5BEB6E763726FC63288D,SHA256=E74AA7BE547C7AAF0DFB91D49DE23A7F604ABF045E116EF2C58943EC0BA70C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:21.111{6820D070-1F50-6323-E313-000000007402}19487196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.885{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F52-6323-E613-000000007402}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.883{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.883{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.883{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.883{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.882{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F52-6323-E613-000000007402}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.882{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F52-6323-E613-000000007402}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.880{6820D070-1F52-6323-E613-000000007402}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000153991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.290{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E02295058300B3CE2993FB45062998,SHA256=1038E29B733BE67777CC49100A6F73B0C882D064AFF05B16B9DDC62D54CB0BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000153990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.228{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F52-6323-E513-000000007402}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.225{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F52-6323-E513-000000007402}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000153984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.225{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F52-6323-E513-000000007402}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000153983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.224{6820D070-1F52-6323-E513-000000007402}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:22.163{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0CD95A1E2F3C501CB3123C9D5852B5,SHA256=B5F12FCCDAE9B4C011FA14EB857577C8EA20CC9EBE31BE644705B60E3AA618E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:23.229{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9C213E56D6A4C521D4C4BD0204019F,SHA256=9243DF8911AF6855A608B90DE5035F6F7F5F77930F00470B01AAA540E9E7F8C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.820{6820D070-1F53-6323-E713-000000007402}68607380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.553{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F53-6323-E713-000000007402}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.549{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.549{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.549{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.549{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.549{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F53-6323-E713-000000007402}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.549{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F53-6323-E713-000000007402}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.546{6820D070-1F53-6323-E713-000000007402}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.301{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7968AAFB0BACE43DF02DD2DA5E8E0358,SHA256=4240225C7242B5324A17CDCB8E4B27E2BAF99D42820EF376A5E34A1BE20CAD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:23.034{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8749B787ED4F55E63EB63CCBD8F2FA26,SHA256=66E960FE3B3E63C12EBBA46BBB5233EDE98812D56024751269768DE42F8905C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:21.138{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:24.297{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89278B46E00FABF332002AE403ABBF12,SHA256=9DF4CD2DB25FE987AA0EA794B45B624BDF236692A1E38D65035201FC46F417A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.538{6820D070-1F54-6323-E813-000000007402}73367956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.324{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F54-6323-E813-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.322{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.322{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.321{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.321{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.321{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F54-6323-E813-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.321{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F54-6323-E813-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.320{6820D070-1F54-6323-E813-000000007402}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:24.312{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB5E726D25880C01418DE3FF283CBE8,SHA256=99A5DE243748854B079B53CEA519E33C3BB343E883050966C018678EEE0C0BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:25.340{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F52CBCECE1E99232943AD93A11E3CB5,SHA256=13B1077F66A539F4BA6F5F61EEEA9F0169EA61AA78BBCAE63C7D9BD49175B7A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.623{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.622{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.435{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11261FD5698F992E0D882264191BEEE,SHA256=9AE5DC27FC6832F5C95CE33D470E1E5121F2058E19E721DA14B72E2EB9BEAA53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:22.567{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52985-false10.0.1.12-8000- 10341000x8000000000000000154041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.227{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.221{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.211{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.207{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.200{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.194{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.192{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.190{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.185{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.157{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.143{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.139{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.132{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.123{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.116{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.102{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.093{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.082{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.073{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.029{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:25.026{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000125040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:26.455{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0957B7044A2200265EAAF0B4020CF9,SHA256=D7EF28DE1B27C29EC46923F1B6ECF3B8EAC7CFB4857DB1F8DEE245054EAC3254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:26.341{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE74884815189BCFE147ED2C3627EB3,SHA256=385B5B93FDB2A50FB45299D6DBB8A13282632AA9683C60A761960910323E1D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:27.537{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B527E4864CDED855AD7B244BF20D7C,SHA256=C9502B2604274D8CA5070B558624304F1520D68C8151D0E8924624CCD3453B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:27.634{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:27.632{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:27.628{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:27.626{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:27.346{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953CF49298BA420605AE8CCAE4E3A3E2,SHA256=8201B4EA991EF3A34ED264B5F1E3D5F69B4AD9DC0E3081807AF3540B918A50B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:28.806{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-307MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:28.586{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1436E9D8BBCDBC1E473CAEE80F4698CA,SHA256=3A167B49CD07ACA109FC815854DC3FCE07C8D7225E9BA06A2A7E3CAAC8DC7B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.488{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365097A228E2A8A283B2120C267193A2,SHA256=7E58242B95EFD989D87A4D3A68F26CDAC428026586B8F02E419FBB76762695B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.476{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.476{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.439{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.437{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.436{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.434{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.429{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.427{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.423{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.407{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.356{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052F8FFF1080DE0D85EAFBB356004A9F,SHA256=8F3174A28D9966DC0A6A3653D9DA81FA4EF010C20C95E1F3C13B4E351CE00A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.354{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.349{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.347{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.333{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.328{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.327{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.322{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.319{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.314{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.313{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.313{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.309{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.297{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.283{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.281{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.258{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.257{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.241{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.225{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.187{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.179{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.169{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.159{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.154{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.151{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.148{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.145{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.145{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.140{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.139{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:28.137{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000125046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:29.806{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-308MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:29.637{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D677FA35E08D1B92DBADEE1C95D51A89,SHA256=490FC4BCF36955C30D23EE9BF1706E490FC02BAA52A51454AA18E85BC276BBEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.696{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.693{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.693{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:29.382{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C033D50D3A510375B2A719A6683B0F,SHA256=8680FD90A2FB339F755530C4C09B88060585329F0B8E7CABFCCA695A47884D89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:27.132{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53689-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000154095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:27.582{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52986-false10.0.1.12-8000- 23542300x8000000000000000154140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:30.526{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC3DC9315E21C1C8EAECAEFB6313E1E,SHA256=52F853D2137ECAFD97CC8C8EF5511B8A496E0ABE81416E046EABACD0FFCF1A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:30.704{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954F63A2EEF109EC886323C9F03BB463,SHA256=E2A2DC4BE9E6D6641E63B55A62E6B570AFEC98C8D20DB769B843B4265A23151A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:31.610{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA7D56B92EB47B4B9EB589A59B9189C,SHA256=CC99BA76471A06D682DC72CE7303C2F0D6ED865B3C11DEA372CC06C898D344F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:31.809{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237F8EA83F723C30ED919BE670BD7EEA,SHA256=D338892DCE312524BB2DF9BD102FB75F47A46C8E92219AC24623BD64630E34EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:31.123{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=57E558DB1F06AA57CF0C511EE8979A13,SHA256=E79A832357E4B2702A1EC2B7271D26BE305C5B13E8E40037ECBA4F6EB6440D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:32.894{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F3BFF35917059A130375A2AE9039AA,SHA256=8551EC84F58A85F6B2A1E01C867E2E13D6C7D9DB8598A48C322EDCDC0444628B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:32.951{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:32.951{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:32.951{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:32.614{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CA9FCE830EAE63208D97F0A589259D,SHA256=C2F75606FC5FB1B770C483BFDAD4CF40FC532AC6A667750F44F5EE428E55A053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:32.349{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000125050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:32.349{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:32.349{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1214ac6.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:33.967{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA95657AA7D1B2345FD2C2765E3BF4BA,SHA256=83435F13E006E7CCE9AFC3B12496B69F3449E2C3D93C6B76AA5C95F815ACD6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:33.621{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A828C3F7723ECFDEBFCA7B810C518FE5,SHA256=C24445A867AD04E27CAB9896F8D3A9BC6547C2411151788D210F3A5480853EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:33.326{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:33.326{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:33.326{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:34.626{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C6E15D10B14CC7E037EFF73BE7F2DB,SHA256=66BFE083CCEECA4DDE04F5A3C852E981BA17437CAC8BD3C94BFD6B9D18C3FBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:32.625{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52987-false10.0.1.12-8000- 23542300x8000000000000000154150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:35.732{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48DBF8D0D9AF801BC27686115412245,SHA256=BE29EFCBFE2FA7FA7A69E69736CA82F3EBC9B1E34C9B92D5787D5938768EBF1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:33.070{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:35.046{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32F9006B9D9802588A23B3D2CC73533,SHA256=9F4A32464ECE35D54CA1091BBD14D21339C881FEF822A03D5439855768CB1C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:36.842{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784223F65EC40B1D80E2B353AAA90517,SHA256=187EC32A36E2D96D218C7F0F99851DD9EBE22CAD6EAD066D9C5FE7228D89FC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:36.130{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BF0497096FDC05DFBC8F879F1359E9,SHA256=1C3820E12DA4A62D7A212E28726B1EBEC0B379408CDB73D83DEA459FBAA7FC06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.997{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.995{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.992{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.986{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.977{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.975{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.965{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.957{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.919{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.913{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.904{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.897{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.883{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.873{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.865{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.856{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.844{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.833{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.830{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000125060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:37.215{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E62612212C4A8022500CA215BCA178E,SHA256=159E6F3AFE9C307D1F315E635E863C9C50EE0E990F2296F6EE84B99FE61E0792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.701{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=353EA54AF2A2666185C0ECAC7E98AF32,SHA256=A7FBB1BB4D4AC15165A0C55201133D6EDFD22B238F01A2379529058B1F2A6DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.616{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA400B273E06914BE3EA051B3BDC1F9,SHA256=A0A95367E7797E7A190A5E6EB183EE75302ABD7F0DB5043E602BF2A8C08A7B83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:38.537{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:38.537{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:38.146{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84C7B7D2095858BCF06AA455D6CD9CD,SHA256=C78077A350DADDDEAF671CA4D988CA5D93DED5077A51BDCD06588411F8318371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.178{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.176{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.171{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.167{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.155{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.151{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.148{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.145{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.143{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.135{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.133{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.106{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.089{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.078{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.038{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.030{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.021{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.017{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.013{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.011{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.010{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.007{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.004{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.003{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.001{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.000{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000125113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:39.654{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D30B2A2AE00CCD9F3E749C77479400,SHA256=CEF4E3C843D7FF1FB23982EF962F21045BEEFAE43146215C30775B7AA48C6CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:39.252{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E94D378B964775F95701FE7F585DBC,SHA256=10BA9DC8B38334A90F708E410DEC395B377FD9C00D49E1AE569599177DA4CED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:40.774{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5C36769FDBFDE76B3C9C6AD33C5944,SHA256=D20F13DF167A4C2C27A03116F63ABF57E1234AAA6570E4100CE29ABBD1BAF3A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:38.176{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000154158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:38.049{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local52988-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000154157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:38.049{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local52988-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000154156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:40.257{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5AD2B816015FF4F1F1E6E6621B249C,SHA256=55608FD0582712AD452AA03FFDE3D151A3C7E4A28A78235F958909D9C5D271B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:41.917{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A933B5D59AAF63858BE7FCE2E9DD310A,SHA256=308AFB84E97FF5199EAB2CF7A33D8DFC94B184786058A7DD218843991CE5FF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:41.365{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1648BEAB45AEC533EC8BF05015CE0317,SHA256=E6285E807E6B77043758BB21CD9D7BFA507E8C56B48A7F40039448D9DD6102F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:38.538{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52989-false10.0.1.12-8000- 10341000x8000000000000000154160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:41.314{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:41.314{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:42.372{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F707E899FFC238A6C0D09049920AF08,SHA256=524C8A04AF41E65BCA4EE30D8D3FFAF3573CE465FE5FD95D7EAEA53619F511FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:43.478{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2052F77EDDBD81AA834556BD47C676,SHA256=2F86B25ED9BE6A51323F1EB93C9E64FE25669863DEC505F1B2C968C0BE11F908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:43.702{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:43.702{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:43.002{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA374EA520020B682F0F315F611C4EB4,SHA256=2CEFFF91E5BD6C4A1FDF033B9758C2B549D6705EAEADC73400248199702DFC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:44.786{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE83EFE294C7AC3F3612F9D8AC37339,SHA256=4741C649E4A528B8A38F0CE099A46BBD9461C94C471487FEA6ED03A4BB61DA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:44.118{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C436E152868AFE7B0C588EECF38F873,SHA256=10ABBEA13532E6B321540338BA74FF01AEDECBE237D29FBD413E0B947D051FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.902{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E2FA5A5DD2A6E97A0E13BA0E76172B,SHA256=753F9744A10CD2C1C25987CE5CAAECA26FAFCCC60847809756C9BA2A260E315E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.884{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.880{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000125121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:45.217{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4922D1D05E6659433BB792CC4F013505,SHA256=3E16C89163AB08E14C77E3FA2283B7D704DFF1D5CDBB1F89FA10F41D57D862CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:43.621{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52990-false10.0.1.12-8000- 10341000x8000000000000000154186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.346{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.340{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.322{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.319{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.304{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.300{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.298{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.294{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.285{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.244{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.215{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.211{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.204{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.197{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.188{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.177{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.171{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.162{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.156{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.063{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:45.045{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000154191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:46.907{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8011D20E8F42B169BB28090870F9151,SHA256=C3A6CE3B16E7FB9B854B43CEF72AA2D247D5E44D2FD3101FB660CC82092C24D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:43.223{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:46.317{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44AD7DC08CD7955D3851803164C1C0D,SHA256=692859680E55AA3F436296F9880ED8926DA75126F390405726376D64CDF88916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:47.914{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CB2515A43365238AB10D39870547A8,SHA256=FA4B917B023CA28234D94FF34B4A4D9BFC4CCC6FE1EF1D3EDD48EA5500E9A698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:47.417{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219BE542281FFF46573C62A9EF3A8DA6,SHA256=D715F00DF1040F42A7CD11E9A86EC3E6B26EB04BAC5BC391B2131DF5DB447321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:47.896{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:47.895{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:47.891{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:47.889{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:47.685{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.734{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E6E354A88C096A447F33B4C44021BBF1,SHA256=B9E333010EAC590FF20878961BD3D4EDD45E214CC31F118595D8A28C354A5819,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.645{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000125138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.645{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000125137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.645{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000125136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.645{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000125135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.645{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000125134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.645{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000125133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.501{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5E096FE9D360CAE1BBA0AA82AEC769,SHA256=E819BDFB7DDB52805070A374AFDAD2B9609701E03DAEE44B5940E6E0EB8C3761,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.454{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.451{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.451{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.451{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.451{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.451{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.450{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.449{E743DC12-1F6C-6323-B40B-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000154236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.634{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.629{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.628{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.626{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.624{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.622{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.617{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.593{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.566{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.564{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.562{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.553{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.549{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.548{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.546{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.540{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.539{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.537{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.537{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.535{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.532{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.525{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.524{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.505{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.504{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.489{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.481{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.441{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.434{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.424{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.418{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.415{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.413{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.410{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.407{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.406{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.402{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.401{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.399{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000125158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.876{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF2A02257BE190816DA14FAF2AA7981,SHA256=7CBC11EEF02A21FCB2AC621FEAB63B0BBB9B1DBCE0050E57F16463C95A3AC097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F6D-6323-B60B-000000007502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-1F6D-6323-B60B-000000007502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.804{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F6D-6323-B60B-000000007502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.805{E743DC12-1F6D-6323-B60B-000000007502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:49.339{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422C3950C8BAD1BEDB0A68F7E78E0D0C,SHA256=167360A27D52607080A9DE5250C489C51EFF6F34595521F9D8C7EE979E2E8A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.503{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=470D91FE5950CF75622D64FC417662F6,SHA256=3B87E4F1688069AE3D6389B7F3FE591D485E6B7E84A68DE60A2634F0E533E20C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F6D-6323-B50B-000000007502}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1F6D-6323-B50B-000000007502}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.133{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F6D-6323-B50B-000000007502}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.134{E743DC12-1F6D-6323-B50B-000000007502}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:50.442{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC6BA34CC3DE41B2D6722871D37001A,SHA256=A786EDBF14F4AA7AE52840BFFBF732524EA4B7CAEAF820DAF97631C15FC78CF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.618{E743DC12-1F6E-6323-B70B-000000007502}29681376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.575{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=F4C92100D2DE5854B213069E777F0978,SHA256=F556283797DD6AA1A829305CCFFEC45516F504EB06FB8F35E259AB0028F397ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F6E-6323-B70B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1F6E-6323-B70B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.475{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F6E-6323-B70B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:50.476{E743DC12-1F6E-6323-B70B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000125159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:49.987{E743DC12-1F6D-6323-B60B-000000007502}31724072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:50.152{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-317MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:51.448{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6602F8F2F2F247ACA5B1F2511EE0A1B6,SHA256=05FFD1F24A6E159C5D702E6EF99E7F23BFC9741BA27B732F488D0E7125047EAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:48.980{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000125188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.823{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F6F-6323-B90B-000000007502}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.819{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F6F-6323-B90B-000000007502}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.818{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.818{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.817{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.817{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.817{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F6F-6323-B90B-000000007502}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.815{E743DC12-1F6F-6323-B90B-000000007502}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000125180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.334{E743DC12-1F6F-6323-B80B-000000007502}16202516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.155{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F6F-6323-B80B-000000007502}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.153{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.153{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.153{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.153{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.152{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F6F-6323-B80B-000000007502}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.152{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F6F-6323-B80B-000000007502}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.151{E743DC12-1F6F-6323-B80B-000000007502}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.075{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6976487033598206855425D1B85120C,SHA256=4425F7CADD308F64775B6237F357F5BEFA8E24DA1038CD968EAA8F7BB813A990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:51.058{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8F7CE51F2AB4CBA7867E769E7CC9F044,SHA256=5216169D5AA4EA8C1F9CF1075F24525555A96DAEEF3A04FCDCEEB7ECBA8B0FDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:48.731{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52991-false10.0.1.12-8000- 23542300x8000000000000000154240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:51.151{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-318MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:52.598{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000154245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:52.598{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:52.597{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF12ae6dc.TMPMD5=1C1390FB7031B53AF8B5015FEB516BB7,SHA256=7E9DB3FA9C07EFD7A9158EE7BC0183A5F15EBC556C75A7245F742DAFF3D723D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:52.455{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE6B511BCD50D77A435C02820846C3D,SHA256=AE032FB89DEFC33A49D0A82E4AC24EA19FCD03615D45DA1C0A22A2401DA47BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.703{E743DC12-1F70-6323-BA0B-000000007502}30044224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1F70-6323-BA0B-000000007502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1F70-6323-BA0B-000000007502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.503{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1F70-6323-BA0B-000000007502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.504{E743DC12-1F70-6323-BA0B-000000007502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:52.188{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD33B9F6072420F3FFA36BABDC53CBD9,SHA256=5A9AF423622F1BC026A46B81CADA24CE675305218DB2813AB197593D5773B089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:53.528{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:53.528{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:53.466{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2ABF4E7B6A200A771CCF056DC3C5D48,SHA256=F397E5D328BB5C4E16405BB576869C93CD94A3FD0B3C902F7CAE27523B4603EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:53.319{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0321C010A9EA9C17118256130651D91E,SHA256=907B2A8C1694210346187515A319720D8E0462B47AD6380DC6D66EFC4831C721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:53.254{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8C2B8D078425960FD145C7C4C3DDB8C7,SHA256=1F6EE5988A5053D13286B93DA88CDD15A25FBA3B882CF81F64856DC1B87641C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:54.477{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADC46ABB56E235CF61616267C9B8E4C,SHA256=C863B1C697AA818CDC583B09B4620ECB10092B653B853509D041DBD6975D3814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:54.452{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648A9D0FE3B1246EB18B8597C394A18E,SHA256=869371F78E67CD3BBBC939DB60313ED91EDDEEFD24D4098184D6F62EFF22FF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:55.604{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185BAB7648A1FA9CD3FFD25F53B21324,SHA256=756FE7E565A8A104943DC8C2AF7221A1F86FA88DEE1F0C46CF73BEBC2702C04F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:55.585{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0507A5685167BADEBC311B54E9268D1C,SHA256=51FE4E380B06E7375D79F5BEE5F62990BDB21DE5E47F061069C2ED856307A8DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:54.210{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:56.735{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF94DD265759D24FDC33A11034A039B8,SHA256=F6129AD2BE1E7E70FD011611A8F139D04E42EE191858004B7DFD36B3B0C9345D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:56.594{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045430F04FB30B2AD3E348DC299E3AD9,SHA256=70195A1FE4A278294AD3168DB41393ED328BFEB814BBD6A366C4135D9634618B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:54.618{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52992-false10.0.1.12-8000- 23542300x8000000000000000154255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:57.602{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFE76E3FDA159383D2DD549C01D23D3,SHA256=BC097669BBFEFCB1C69087C9A169D9E676B432317FB8C3035F90086BC79A49B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.986{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.978{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.947{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.936{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.918{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.905{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.890{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.884{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.869{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.857{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.847{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000125207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.840{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCF664448803234449E1CE5B6A6D3FF,SHA256=91EC8A8C0112D2252482B6A8C44F8186098309E14671718D4937A01824E0CB87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.836{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:57.833{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000125257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.960{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF15FF007C4ED7707202C1EDFAAF5083,SHA256=1D3650CFE75F092F0102C9F51F8E7EEAFB634C5549D3F1F70527943A436187F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:58.611{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB1AF5EDD2CBB0A7C69D57970200009,SHA256=EDC9E16ADFD699D23CC6D6444C9F26F30352C54CD7C5689433D9088A18C2B9B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.322{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93279AE16E8A1268192A7D2F2AC4D0AC,SHA256=A6C8C7ADC0AB0BAE187188F7A5B40B105C3E4546DC8D9AEE5C8B5DE76BE09036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.174{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.168{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.156{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.152{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.149{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.146{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.143{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.136{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.134{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.115{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.103{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.094{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.072{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.066{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.057{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.052{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.051{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.049{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.046{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.045{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.041{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.038{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.038{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.034{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.031{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.029{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.027{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.017{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.013{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.009{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.002{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:58.000{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000154258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:59.620{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92387D9C2EE6148084826823D99803A,SHA256=9022EB4BBD56266F2EE6618B8AB209A7B9306FD205832EAB49F962C4A36CD0DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:59.333{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000000FF957B)|UNKNOWN(0000000000FF9501)|UNKNOWN(0000000000FF9475)|UNKNOWN(0000000000FF939E)|UNKNOWN(0000000000FF92AA)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 23542300x8000000000000000154259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:00.629{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BD6D0C6A2CB1B8F9C0C9F4529A719F,SHA256=6DD31E973DCDACCAD643159B8BCE8ADC9EA6EED18DAE615453D6A884576A6E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:00.077{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274389D9E43E0BCEDA9C5D47D2F62114,SHA256=F1FC5B3B49AFCA609C331F65B74A20C257967DAACE8C733613CA6976DC274204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:01.935{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A88034C241C80614D2FC90AD7736AED,SHA256=F040FF9BE27BCFCF0432F5559C3A0A325A7E6EEF7CFCD1E93E64FF61DA9A9899,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:49:59.211{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:01.178{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4D6AB7D78FD67A769E17BFC581D6FA,SHA256=EC5C15330503DCA14632E56D8F178DFD990087C681B2D68D648AFFED4E3613EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:02.256{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8F57ED5766CE348B96D8EA5A9AB5C0,SHA256=322066E33CDA49124AA7E32A0DD0D6A62398111206209DA40F974A9625478B43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:49:59.738{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52993-false10.0.1.12-8000- 23542300x8000000000000000125262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:03.378{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFB168D29F156C87473F3A5B924B9E4,SHA256=207D2DEFF10E898FAFAC24B5D71BB3DA15F5A44562F57C9551FC4CD0A4DD8255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:03.842{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFA27C8A7B24B6E57F1AD9A7EF8451B,SHA256=D558484D5B7587FFCC5724F8FF65A5B1C94E6349FBB0C7354777F83D3D08231B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:03.041{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FFAFE069030B06D60ECFD8E33E9489,SHA256=3B4F6F91FE8F5586AC1C429781D207F7BF8454450F06332187FA4415E3C1961F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:04.490{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259B04CFC260AB51123BE2537915CB0F,SHA256=A1DD29D9C5905461488F52B2663CF0DB68BDF1A10ABED3A8E814A63FB8BBADA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:02.287{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52994-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:02.287{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52994-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000154266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:04.233{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:04.233{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:04.050{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3F3DD2E8410CCF1680AAE1488C786E,SHA256=F6F0CF9C67BAAB0B5FD37579B7595FD79FC273A483C98622C4164B48C6E7C21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:05.591{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70AB7FADA3FA676BF135F5371BD9631,SHA256=06C75CD679540D176619F20C9E3BD48D7FD8C227E6C7FCB1E013FF15FE1896F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.959{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.959{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.881{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.879{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.317{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.317{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.250{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.244{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.228{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.225{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.218{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.214{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.210{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.208{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.202{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.170{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.148{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.143{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.135{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.127{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.118{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.107{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.100{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.092{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.080{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000154271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.062{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2F300F229E7F8F318174E5059B4C42,SHA256=51E57B2AB412E7C72716F397DA65EFB4508309780A6B31B297DED8B9075E8A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.031{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.029{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000125265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:06.682{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2742FD7B9E42ECDAFEBA2149BCAA1E,SHA256=C9E945D7C5750140CD8B2271E14DE0301DE9BA4DE617357CA84475A606CE6D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:06.081{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ABA6E7B1AC5E9879634B9BDE06F278,SHA256=2DE9966183A2ACE5D20C89CBD30A3FCF5A82D367B83DB8F57D421685AAF3CAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:07.710{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDDC1488BDA593C93868356AEF5CE27,SHA256=4E5E3D21CD4046C4E8E9557F0B35EC6D603696E929854D7A86ACB6C0EEB39023,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:07.892{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:07.891{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:07.886{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:07.884{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000154298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:07.089{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B635174CAF99BCD0DB6C9FA0F115E5,SHA256=40DAD2CD1BC2CFDF5CA18399FF90B9C24C4557010E4492FA36DC8DFE7672AC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:08.838{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4949310A824A01EF0080B851D650C3,SHA256=3665D45F6550A641E264A7C7546054F1F23432D36BD1FA07F05E16771D6A2E22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.641{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.639{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.638{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.636{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.634{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.632{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.628{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.608{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.584{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.582{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.580{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.570{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.565{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.564{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.562{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.559{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.557{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.555{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.555{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.552{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.549{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.536{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.532{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.511{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.509{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.494{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.486{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.443{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.435{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 354300x8000000000000000154314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:05.707{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52995-false10.0.1.12-8000- 10341000x8000000000000000154313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.423{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.416{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.414{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.410{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.405{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.403{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.402{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.398{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.397{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000154304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.395{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000154303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:08.102{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52505ED8C193B07B311D2DB6622758B3,SHA256=23F3145F3449E871064A4BB6019AA1DA926CC8859C7F67714BDBD68089E22299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:05.081{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:09.916{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954780F114E52C8F0BBBC87D61BF0DAF,SHA256=8066C8E581E4303805E9D6A383068712AD656C9EFFBD1E865D3EAC867024023B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:09.214{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD8FD8B949531DCD76BC7DA0E78D270,SHA256=6FDC5ADFBBBA66C67D66FD6B03DDCCA948732221F38BDEABD998A4EFB74019AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:09.182{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:09.182{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:10.230{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B79AD990F52EDDCFA045F5E4298D9F5,SHA256=F39EE37A595106B9D5CF7954B618D9E68DB1AD1BBBD2E0DB550DB0F2F06452D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:11.212{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:11.212{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:11.027{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646715209C677B1CACA0E47A9A6F4DC6,SHA256=A070D6D1F41B4463B99D7D12E7C25FB16CAF7982A2E3EC810E6E6EF72C41744A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:11.235{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87C8DD0421A7D85F3C3DFE7F989B407,SHA256=916F78777F7F1EC2FE500D7460EC2D1A706AA044AB1B66FF7010F19738637EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:12.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B375CF4E6D6ABA7CEC8B51F866E5E5,SHA256=0D1D3746CC10B24F0B1D09E0A4ACC92D504633E1E1464DC58EC5C3F140E0675A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:12.243{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD0A0FB79092FBEA5F8DDA4F626A6E4,SHA256=6DB0E7AFADF7C6096792CF13C6DA9EF896D6AF7AB4E67F5D8335BFB5D1CC3379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:13.311{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C212CFD5EC4AD6459C083230566C7BF,SHA256=82F94D95D8E8FEAA1CEEC4A8D2B335502316F465F1E7D61CF878A01A36369AD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:10.739{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52996-false10.0.1.12-8000- 23542300x8000000000000000154350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:13.252{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2A098C746B069FB17F0B03C5DA3F94,SHA256=A9D237F75D902D8ECC7740F2646C4C6DE6CD79E838170CCF3F9ABEA7C069249D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:13.147{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=9C5D7E3B09BEA8F6BE6643B8435B96EB,SHA256=B9A21E5B238FB489B81B5AC99B3A9FD8F43B3AE0C85AA16B0C721E1A3470486A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:13.129{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=F30AB7C9C1B3064DC1A0CB8FA4F0B077,SHA256=007EA09E77DB710460AF34C647B277F62B4020F34EB8C2F4CE5CB9A4B4334B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:14.415{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983EF91FCF9F24A8DCC58F3D9E17756C,SHA256=AC6A6AF1F62D1D549BC2104FFF9C4D77D4DFF0324312D8F6A8737BA7EFAD55AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:14.260{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF6B352B8D3A3269AB29D5479685462,SHA256=6D8967C98FCAE2D896D074D5D931ED7D2D4270AEE96A9F143F977E8BB12056FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:11.101{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:15.488{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE0540ECD841CFDED178C81467CFE05,SHA256=C2C8BD6675A525FCD0133DC860F974207B672DC3247F1258684F423C271E70DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:15.786{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:15.271{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CADA3A7F12D207EF6C44A579F07C7E7,SHA256=602D2579793C60C3B5F5AF0F9A9C3F15226BE0B30D2CB37E0E45FDDC5DF94182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:16.517{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E940B9580E605910EBEC98A7AAB79BB6,SHA256=7EAD4F2EB3A734ACF0FFB5DDEB40F14CED237F2F5BECCFD0F44D8FE15935EC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:16.280{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E040634E5B11790B1F32183B6B1E12,SHA256=B33975A5F89F472C3CFA418773BE9CAE8FB876AC7CEA15CBDC98D5A4488AB76B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.997{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.995{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.983{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.974{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.942{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.936{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.918{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.911{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.899{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.893{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.885{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.877{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.865{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.852{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.846{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000125281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.533{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493ED61CF08A881A3574D9785F8D1D45,SHA256=2F12F186A659A6F45C429F25C63FB35CDBEAF866E9CEFE86BFA98DE6E33489DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:15.281{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52997-false10.0.1.12-8089- 23542300x8000000000000000154356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:17.289{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB5276295F1B66D0E8D4C1A99E9A1CD,SHA256=8B6C556CE46C1F0B291D957DA25A83608D5F5D991EBE6719A0B51AFCAC213686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.633{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15BBA8307A2F2F754B3EFC5EE9A7B09,SHA256=723DBFEDD82DB9B3573D611C861DCC125AF53D666539E4C72F6019D5C511C71A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:16.545{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52998-false10.0.1.12-8000- 23542300x8000000000000000154358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:18.298{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47043FF1A515EFC5FACD00934278BDDC,SHA256=F87663DF5E25E1F53A0787A293D2F73B96AB2C3A6F29E178B461C377F836F9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.415{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A06AEE2DD2D38325473913D894D1C0B,SHA256=E14C454F311D4479CF9729E9126D7F1C49BDF5159FADD17718D044F6A4EDC57C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.195{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.193{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.191{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.188{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.186{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.171{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.170{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.170{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.167{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.163{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.159{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.155{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.144{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.141{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.111{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.099{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.090{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.069{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.063{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.049{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.045{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.043{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.041{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.038{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.037{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.034{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.031{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.030{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.028{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.027{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.025{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.023{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.020{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.007{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000125297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:18.004{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000125336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:19.649{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99006BF33530E632DB4CD946750D7E7,SHA256=5B7CE53EFF2EC78767805458387F5F979C655A63A1AC4F362A5BB1624C2A937C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:19.307{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8496A2FC96185181E9B1CAE85EE4919,SHA256=4E21C3496169A9E234FF6F917B87A21FA4953F9207BDDC233238D518E8B46A5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:16.235{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:19.031{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:20.765{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A6489FBBECB637DD8B7A48AE9CD00A,SHA256=275170A5B68148206B75E681BEEFBB3630193058A3421CBFDA69B643D455AE6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.894{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F8C-6323-EA13-000000007402}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.892{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.892{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.892{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.892{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.891{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F8C-6323-EA13-000000007402}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.891{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F8C-6323-EA13-000000007402}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.890{6820D070-1F8C-6323-EA13-000000007402}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.817{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D2CEF3DF533B28284D8B273156263D1C,SHA256=A6E6E1384344CB4D88BB30A1099FDD971D83E9AD45D6DF02CA09048828A28CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.318{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D37F95D110D8BA7B3F3F077DFE6A0C,SHA256=0F2BB2633F7586CB2348242A5EA087FE070FB1EB8FA888F4C361C9193DD38B65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:17.989{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000125340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:20.247{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:20.247{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:20.246{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:20.231{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.228{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F8C-6323-E913-000000007402}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.226{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F8C-6323-E913-000000007402}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.225{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F8C-6323-E913-000000007402}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:20.223{6820D070-1F8C-6323-E913-000000007402}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:21.888{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B99DF5CA22FABDDC2A7EA47057DDFE,SHA256=367C10D8B2241A51E55912D08FC51F7702AFB35909466528904DFA0EB4CDE3D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.645{6820D070-1F8D-6323-EB13-000000007402}79886792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.471{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F8D-6323-EB13-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.468{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1F8D-6323-EB13-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.468{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F8D-6323-EB13-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.467{6820D070-1F8D-6323-EB13-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.326{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275251467B9F20DF0E791094B6F42E6E,SHA256=178E5C2F2FB1ECC593B5F3BEA5C3AC74A72B13D097D6ACC9653B61DC4F5B8492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:21.546{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FCD6B5ABBBF563237CE3C42AA61338EC,SHA256=38EBA80AE81FEDA252E6E439817482BE7E7690FD0FB5C0997AC72C0F2B888A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.282{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E383B8E8FF3E55CF01D6B2C82378B78,SHA256=B04667B63F49DEDC9F3D465B5C23119B9F408FAFEC67D968897DF0751A7196AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.117{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=22A73E1FD19C80141AC6F22CE578A8DE,SHA256=9EC2E8EFD29F8388BE4E332E85F23669E637C642718D6C122308D404119CD8B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:22.988{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA823224BBD7B4FD91F6B35676C3408,SHA256=BDF524B2EDA458E01CCCBD00BF2294D87B51C142E894D1AF0C9D157B6F6578D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.807{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F8E-6323-ED13-000000007402}7472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.805{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.805{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.804{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.804{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.804{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1F8E-6323-ED13-000000007402}7472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.804{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F8E-6323-ED13-000000007402}7472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.803{6820D070-1F8E-6323-ED13-000000007402}7472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.339{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7FDAF5EB04C4BF3CDFBC9CEBC6D1E9,SHA256=B00462D85BC8BF498CF9BD29FAEC021D568F96101C59ADF49610F70677D11A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.139{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F8E-6323-EC13-000000007402}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.137{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.137{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.137{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.136{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.136{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F8E-6323-EC13-000000007402}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.136{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F8E-6323-EC13-000000007402}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:22.135{6820D070-1F8E-6323-EC13-000000007402}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000154419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.682{6820D070-1F8F-6323-EE13-000000007402}2416360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.472{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F8F-6323-EE13-000000007402}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.470{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.470{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.470{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.469{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1F8F-6323-EE13-000000007402}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.469{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F8F-6323-EE13-000000007402}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.468{6820D070-1F8F-6323-EE13-000000007402}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.349{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBCDEEE8A52C4E4DD9A693E44D5F211,SHA256=5D2987B6A91B78EC312E7420ACC837660147134D3CAD413509C93690A763106A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:23.489{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:23.489{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.266{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FDE78690DAF4A89FD82771146E7A8B87,SHA256=8F34B22DC4D352B0209BF8943188A9DCF9A85C5CAAE65DD544B6634D7DA55730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:23.010{6820D070-1F8E-6323-ED13-000000007402}74727600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000154430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:21.756{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local52999-false10.0.1.12-8000- 23542300x8000000000000000154429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.364{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7584A580832E20B53DD082D76CB753,SHA256=A33570D373939730DFE2D1A214984D1C4347520DF80EF09EAE38AAA011F61C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:24.032{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778DF45FB5886405F3BAED03B057D365,SHA256=8BABDCE1548298C7DF2598720CFAB1589296CF163FAFF3B57061A7701BA12E1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.284{6820D070-1F90-6323-EF13-000000007402}59646580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.068{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1F90-6323-EF13-000000007402}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.066{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.066{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.066{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.066{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.065{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1F90-6323-EF13-000000007402}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.065{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1F90-6323-EF13-000000007402}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:24.064{6820D070-1F90-6323-EF13-000000007402}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000154454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.536{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.534{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.381{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528AD265EC2CF26606AAC395C402E2FC,SHA256=CAF90D66F38BA43CEA2EC04DEE11F4B2920022A9268A0E88115AE7AC0027305F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:25.732{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:25.732{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000125350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:21.989{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:25.065{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C17221D0C7F8CF80BD973F878F1967,SHA256=A20F3D39FDE292D26A3AA359C87DCA21C0E633898B57F0B9A42AA36817AEA3CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.192{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.186{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.173{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.171{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.165{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.163{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.161{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.160{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.154{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.131{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.120{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.116{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.109{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.102{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.095{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.086{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.080{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.070{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.064{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.028{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:25.026{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:26.392{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995850F35DF8DE313E673F5FAF31A128,SHA256=1B1006BDD231C8C33E8A50CD9B72F8220D0FE419249BC0977FE629F7D3742CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:26.167{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F19C707A151E49FD320409E38D43C6,SHA256=901142A2F2C380B94CFFD6A0BC604C306336F0D6C5D06A5B64AB32A01EDCE963,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:27.546{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:27.545{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:27.539{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:27.537{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:27.398{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B830EA8EC8DF5FD3D8029A8C066D3D9C,SHA256=53871C8DC5A3620C7D75347357B947B283920D305C511FF3FA16AD46848D4500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:27.266{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76E15FD6A3116948475323ABBD822B6,SHA256=7DEA6495F360BF5C5FCE6608A92D221A817C0F764925E6685806FF27EE9527F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.659{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F702C2312E5966512FFFC8BC7196F08,SHA256=61883C1CF71AEE4B13624CB8728BDCBE93E97B794E4AB74F51AE7F655673CD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:28.317{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DFD5089E37765EF764E65EB3D37779,SHA256=2D6FA982CB625AA2E3DCDB8C85D11BB79586F9D2248E896D70F22F5E24CC5202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.338{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.335{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.333{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.330{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.328{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.325{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.322{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.305{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.276{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.274{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.271{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.250{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.244{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.243{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.240{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.238{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.235{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.234{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.233{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.229{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.225{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.218{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.216{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.192{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.190{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.171{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.157{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.115{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.098{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.080{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.074{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.069{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.067{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.063{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.060{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.058{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.052{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.052{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000154461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:28.049{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000154502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:29.736{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADA0B77F1B0868A4BCA4CED188A1580,SHA256=E2847BA97D48982CFAD6F5BA8FDD7E9AB9B26B09FB8684E05BE3AD0D996371A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:29.433{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6A5CEBAF767288084EC73F65876B08,SHA256=471E1E345A72DB0E9071CEEB347FCA17589CD9073076AFCA3EE8A257C3BB6661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:27.627{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53000-false10.0.1.12-8000- 23542300x8000000000000000154508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.847{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7968D49C4B4589789AC052E99CB87956,SHA256=846AD804EB7387FC36B814A6FB8DEA491E914DFDE0249DC5F0EDED97FD5495A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:27.175{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:30.551{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFE3216D03366DFE531B80CF268B888,SHA256=843E9875780402ADADAA648E44455AE81C9AEA01CD52A743D0352F4D8154DA2A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000154507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:50:30.582{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000154506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:50:30.580{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Config SourceDWORD (0x00000001) 13241300x8000000000000000154505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:50:30.580{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BDD44E51-425D-47BA-BA16-AF37623148D4.XML 10341000x8000000000000000154504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.566{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.566{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:30.338{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-308MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.958{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E068EFBF6432F2FA73BA03EC5901A6,SHA256=882134C67625C3BEFDF390B7D3757DBE2A9A1A5E576CA8DBA41D19FF0520F7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:31.569{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A2AC42244795B0635B0135BA7F875B,SHA256=9FF7A1841723E2B7FD81C3031A35CC9142FDC550B9156B109599C38DF3822D46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.412{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.409{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.409{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.135{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=F4F8EA706E8F289E46838BA642D8F465,SHA256=51FAF31E804AABAE0A5AF18D10AA220C8061AA674856CA1ED52F053A478F3D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.126{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B301BE30AC1A0634B4BA12AC056DBD1C,SHA256=FC749907EED982E9F12A668D837C23F99B5207C9B3D43BEBF7F754DE38C18F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:31.352{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-309MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:32.696{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0DBA2BE980892E4A444D492DAC8FCF,SHA256=D07640739C44E1072084A93C21C42E000BE8A8EB974532185AD2F2AC8F34D7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:32.969{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D126882EF2C90B5D06093516E4B4C95,SHA256=415FFEF3CF6DD124B0DD60213E8E3B418752168BC65C76FB67E872875F2C0D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.916{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53002-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.916{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53002-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.077{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local53001-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000154519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:30.077{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local53001-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000154518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:32.467{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=519ED06CEE6AB316CB624B997D739A19,SHA256=E7A66E1A4DC1391B185C978C48727C82FC40EDC9D653FCCAD0E3194ED962A1AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:32.246{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:32.242{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:32.242{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:33.794{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C010E4DEDC91E313FEC43073A465E82,SHA256=2C6070D64E15D6659F9A5DCEBB7B52BE5FB69A97BE9FB5981243EA8C0AFFB8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:33.980{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8746AEBB6DF562882E0C0FBDF9111F,SHA256=07E6AA72CBBD01DCAAE0B523B0CBD510BE578BD7B2EF698CE80B398183A26A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:33.337{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:33.337{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000154525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.748{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53003-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:31.748{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53003-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000125368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:34.832{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AAD7B724D8FA54FB966286371C3A16,SHA256=1A9F46075BCB1E2817FCB8831E118C52279E5D905B87E5DF16E78D4B4F825E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:34.990{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403DE3AA49747F8ED62C644667E786E8,SHA256=D9B9AFA77BC38BD35BB53C816A9F4D804A1696728EE82864C2618FBB7B34A5A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:34.052{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:34.052{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:35.869{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2EEB63DD7B70DC6D77A272D6378F2E,SHA256=029F0721F3B33F2765706B3C555358B1C034C1B8F97F5CCF0F56F279280CBD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:36.936{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B36ECFEF27560AC3333BF9E407F6829,SHA256=112A78909304C66C786BA32F0758C0FF529550188FBE56602F3172A3DD69347D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:32.655{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53004-false10.0.1.12-8000- 23542300x8000000000000000154528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:36.000{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499AE40F6C88D741CD81EF77B619BB40,SHA256=249D6C374331032678AB11E89296D1FE79E03EB4FEA3DA352596B7D539BAC7BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:33.178{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000125390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.996{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.993{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.982{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.980{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000125385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.975{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138541EDB8E73D99D6BE9062E136C13E,SHA256=A351C413DDF32449C611B765D0EBBC6295844AA20719D1C93FB76C498DE6A29C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.968{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.960{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000154530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:37.106{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5B0F45B17EE5F7BB05D6A14BA089A9,SHA256=EF74274EB1791978715AC9D593AE608A8715D7AE3772BCF8314C9EE3065897C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.929{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.920{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.910{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.901{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.885{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.880{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.873{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.864{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.855{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.845{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:37.840{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000125423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.704{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=09B03C3ABE1E1D869D9124E58C7958EB,SHA256=7A4D4FC2177C755AD3E0F8134105E34FE43E74245E1453BB8A0925BF96A59FAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.192{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.189{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.186{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.183{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.162{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.156{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.151{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.145{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.141{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.131{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.129{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.100{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.085{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.070{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.046{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.040{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.031{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.026{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.025{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.022{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.020{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.019{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.012{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.011{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.009{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.007{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.005{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:38.002{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000154531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:38.111{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C609A92DEDB56A074F87CBD16350F0D,SHA256=CEA334F171950417712A42435918A740EAF0FD921A2866EAC715A9E62B875222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:39.620{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284BAC01F0F9ADFCE6D7A81AAFA9F01,SHA256=DFF788DE89467F4F1C7886801898D4E25A0640E9262AAB49BE7FB624674DC61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:39.117{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94874C8DC934F1C91671E3E90FCAC5F2,SHA256=4248EF5C11148F1AFC9CBF1EEBCC462B05644F7C1A1BB1A10ABD1ED8DF000324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:40.669{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00FABD81261C915954C708E694B94BA,SHA256=96A3CCBF8939190BA65C67C6EE7B60BCBB7272221566F037C2862173FB41BB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:40.126{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C4552320ABC8823DFB6FC7ED9737E2,SHA256=CACEAF6AB3468FBF31809CBFE89B3A44B03E1BCCC9B41E2FC47962C1083DBBE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:37.738{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53005-false10.0.1.12-8000- 23542300x8000000000000000125429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:41.823{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A4EC8B62ECD188503570AAB7BB3D05,SHA256=CD0CEBD8F67C6D572AE8F6FCE9F1568B1D4F4754CE9ACE06D120F4DEB0BFCBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:41.135{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED02FB3813B31C4B3385B7C4654E147,SHA256=448A822DC37E9DFAE51B7B14E64594ADD8AFF86F0D812200EC2CB4D6FD1C5432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:41.592{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:41.592{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:41.592{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:42.954{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89229147D02815890DFFBA4BBD7CD14,SHA256=46AD46B2BCB6AF8A4AEB462D6E11CF1C8E2E9895655866954D05160ECF4E2E7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:39.223{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000154536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:42.144{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604237C7884CAF1AD1211E72C1B54FC2,SHA256=CB8F5DDA89C6268E5764AFC0C0AFF0140F3EAF540F8184E3634425F3347D9828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:43.971{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE47292DB0DDF88D84F49CE512E4E39C,SHA256=FEC41AFB98E1D87A09F3525BB9964166560CF89F8AE85D7BAAFD7B958061412D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:43.155{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B5DDF8E7D61814954BB5D668607AC6,SHA256=8ACD3624B57159FB2AF68DBC962D423D8FB06ABBD2AA4B233A0B060DE960F529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:44.163{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F812A6A86500ABB112036F08F1ADA5D,SHA256=71819218CF41B32E6322E28B0C137CC149E1AC2815CDA9E6CD528E1ED7C28C39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.730{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.728{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.283{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.277{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.264{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.260{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.254{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.250{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.249{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.245{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.236{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.197{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.180{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F458A187A2A9E74A1F12A858E82E4A2F,SHA256=20779F6E236629AA0DE856E3D61B7541228FA47F238F1E3D32801F9C0420096F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.180{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.176{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000125433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:45.072{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F215EA67503AA38B9AB8A856AA7C4A6,SHA256=D9C8743B5831D1390F83B65298AE263CEE04EAAD5201F0073F7FDDC587B96417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.167{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.160{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.148{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.138{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.129{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.113{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.102{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.048{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:45.044{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:46.297{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0D387C89E133BDB168831991302431,SHA256=FF6FEBB46E871687E6BBC78C9E6E7B68B69D11266DFB78FDDB84A401292D3070,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:46.183{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:46.183{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:46.174{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB4113A100CCD6E51509E77F890CF2F,SHA256=7830CD4BBC7BDC3C25DA5056AEA0830A6B79C0FECCAEF6FBA17351DE31F303C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:43.569{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53006-false10.0.1.12-8000- 10341000x8000000000000000154570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:47.742{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:47.740{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:47.735{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:47.733{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:47.686{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:47.302{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA4F008F01519CE9A26D41C8EFD5909,SHA256=F5755E22A7C619A45A2D37C2206FB4529751084BFB0E7D3A29376D7FAE48D363,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:45.098{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:47.243{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAEFEFCF2CF7CD6F173CA4ABF061213,SHA256=641FCDA3D1497905C224D5880A202D51D2DB2A606809A5B58D098D93269B217A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.542{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.538{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.536{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.530{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.526{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.524{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.520{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.506{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.488{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.483{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.477{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.450{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.444{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.443{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.439{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.436{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.433{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.432{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.431{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.429{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.424{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.416{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.414{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C07FA0CC53169CEE005D44134D5B10,SHA256=CB367156DA08BE5C0A8657F562AF09C2B3E82A8380560C847DA2FB3DC7C54A5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.414{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.381{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.379{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.359{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.349{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000125447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FA8-6323-BB0B-000000007502}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1FA8-6323-BB0B-000000007502}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.442{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FA8-6323-BB0B-000000007502}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.443{E743DC12-1FA8-6323-BB0B-000000007502}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:48.342{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF1C70BA5D103962DCC621EB1B620A2,SHA256=616A3949780F5863170F4E4AD377F48E08EFA4086E435E72A9D8C4907B75F68A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.301{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.293{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.274{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.268{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.265{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.262{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.258{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.255{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.253{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.249{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.247{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.245{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:49.788{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9FEB31C6E837F61F909506FF881E10,SHA256=D631C1DB5C0225095F315B4CF9A10C2C7E05387ABD3BBAA306CBCB358627B7FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FA9-6323-BD0B-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1FA9-6323-BD0B-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FA9-6323-BD0B-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.802{E743DC12-1FA9-6323-BD0B-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.579{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E515761176AD33AD8F4B2A0857131DB,SHA256=48FCFEA74C0AD36892C9A105BA6B7EFA799FFFC1AC3609F8BE00992A821BC20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.428{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25F43AD9FFF5F278F8DDD6C72AA269D,SHA256=F8D61AC247ADF3BB7A40C09153F9A7BF15119B8243767D98C723EC3029716D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:49.045{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:49.045{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:49.044{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.285{E743DC12-1FA9-6323-BC0B-000000007502}35445560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D06677585661DF26FAE727AB105F16EA,SHA256=F4ACE41C8AD36638398F2502966BE69605BAA6D867C9626F6825B3CF621D42F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.117{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FA9-6323-BC0B-000000007502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.116{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.115{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.115{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.115{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.115{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FA9-6323-BC0B-000000007502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.115{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FA9-6323-BC0B-000000007502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:49.113{E743DC12-1FA9-6323-BC0B-000000007502}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:50.844{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A084462A3526E6D3CB7E1D55EE9C1230,SHA256=3A881693FA55D684A58956F9A8DC5301AB27BFD8AF7EA625A33864A78125089F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.763{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=608425FB7FC15A8BF0AD9720E2F1E178,SHA256=A4715F35136EC6BCA0F4EC4D0460B8775F3AA4758C81B0CE45D6B5157CE35175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.502{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECE9EA08662812BCE87C75D7DBF5439,SHA256=7EB4169DF6A74AA01C48A4F2E9B930A52286113807D1F6EC8884591B7E1B55A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.481{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FAA-6323-BE0B-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.479{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.479{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.479{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.479{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.478{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-1FAA-6323-BE0B-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.478{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FAA-6323-BE0B-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.477{E743DC12-1FAA-6323-BE0B-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:51.855{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18681D6940C89749E14ADFBBE19C088,SHA256=49BC9F17886DD2A56853F9E68488E5BF786AD18D65EA0F01BECB2C6D86A47C34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FAB-6323-C00B-000000007502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FAB-6323-C00B-000000007502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.808{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FAB-6323-C00B-000000007502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.809{E743DC12-1FAB-6323-C00B-000000007502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.565{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD32CCC9C4808374FC11FF1D928E91CB,SHA256=7D0A6CB12D68B90CE95C8BC546636EC56C38100097619993D74940706228CC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:51.658{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-318MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:48.686{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53007-false10.0.1.12-8000- 10341000x8000000000000000125486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.317{E743DC12-1FAB-6323-BF0B-000000007502}52324564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.144{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FAB-6323-BF0B-000000007502}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.143{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.143{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.142{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.142{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.142{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1FAB-6323-BF0B-000000007502}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.142{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FAB-6323-BF0B-000000007502}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:51.140{E743DC12-1FAB-6323-BF0B-000000007502}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:52.864{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09001075E46C38F32A74E0E6B0E0D78F,SHA256=CE7389F127ED0DB7CD7EA3279EB4D357B8BB085C4BC5CB60B282E097AA9CFF72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:50.206{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.636{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B9B98E95B4B9B5A2BC86A83CF5F4CA,SHA256=003D5A4E42091D0AA8E5A8B7A9A3490A914DB355439EE3A59FD92C4B02FD2AFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.636{E743DC12-1FAC-6323-C10B-000000007502}39045688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:52.657{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-319MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.487{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FAC-6323-C10B-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.485{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.485{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.485{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.484{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.484{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-1FAC-6323-C10B-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.484{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FAC-6323-C10B-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.482{E743DC12-1FAC-6323-C10B-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000125496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:52.007{E743DC12-1FAB-6323-C00B-000000007502}57604180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:53.973{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65631DB5C9674A53598CA994EFDCFBD4,SHA256=A0672D316C1557116958D2C25C19EC64F3B14D1C63C0967625DF882C777FC69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:53.686{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4384D1AE1E52BDE77121D37E41C1004B,SHA256=731AAA968EDDB097EEFE4EC50AFCFB91B096CF550E5154C8FC00C2B64276F497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:53.465{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CDB9FE590BAF9A0E401E23F91D97CE10,SHA256=C5F1CEBC254CB3379A50E68669975C808EE2D0A8B8557F6837BCC9395F38D94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:54.982{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5456ED6DC585B7137B0AC814A1B7458D,SHA256=324AE92F720F9641337F49CD5C9997F4A83CEF4FB900861EB80BA0026F1B6B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:54.754{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF1587FEFB3C844E944D2950C5E02CB,SHA256=CA1B2AD864AA0FEBEFE5C91A3006DBA6F65544433A5D003226F0EDD9EEE2F87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:55.813{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E1572F1DC4777BDDDC8FBE127A0E8E,SHA256=083C9A7AFEE7EA7B0449520F47BD155F33DA6E453D7AB7455B07938AA0A3669B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:56.844{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D343C76C6BE0305ECAA9BC79F4FB03,SHA256=1C784E3476E468D867A724A17BAD48E970A688CD9F33799BB9117514C43D2627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:56.091{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD77443C216B2CAACBF0A8C5333689B2,SHA256=C42804ED54E14B1B137941F09A11FBA5E911E58890AA2ED8C5A65C2618FEF65A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.998{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.993{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.991{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.989{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.987{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.986{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.984{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.982{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.979{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.976{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.973{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.967{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.965{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.952{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000125525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:55.215{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000125524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.940{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.919{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.914{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.905{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.896{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000125519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.881{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36F50EEBACE782BB6DC15397A7059E8,SHA256=A9854C394ED08340535FEAE918B9E00988C9308D7E113A7F8E5BEAD980E5DBC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.875{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.869{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.863{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.855{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.847{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000154626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:57.097{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D54DEC689253712269786A11D779BA,SHA256=E56C30E57C7CF057F6E5154F4B6A8911D30CF5AEC0C4C9C68C580645665C4EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.835{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:57.832{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000154625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:54.546{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53008-false10.0.1.12-8000- 23542300x8000000000000000125564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.964{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43811A5D915486582CE8B71F699B9EA,SHA256=ED9252526EAB3FCA25155CE0D1717CD3303CA1BA49A67468BB119D1ADC4D060A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:58.104{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2CB32EBBA40A081DA33B423C6A25CC,SHA256=6D3B98ED15C654784CC1063C36015242B3321FD56933E42D7870F8A8697B3ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.135{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.133{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.131{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.128{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.127{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.116{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.115{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.115{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.112{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.106{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.103{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.096{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.095{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.077{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.064{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.055{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.032{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.026{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.015{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.007{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.005{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:50:58.002{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000154628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:59.214{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D66F1A279FF5284D07889D76EEC12CB,SHA256=A0BAABBF36C324F03AA8775C88C65D4BB246D2E7A0ADBCBDCB6C9A99F5C7AC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:00.222{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0988E56DE2BF969C771D7BA0BCF13D2,SHA256=C2A3D1DE6E79C14291B4EC44E67A341FA9535AA040AB846245EB756B7E82BDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:00.003{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC8C5AF45C523FAC034C9F3CF7DE0B0,SHA256=8E42C91DD949ED7B5B592B01C639F94B57CBB4C72A8CFB658B666661611D270C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:01.232{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA7E45139530AFAAC16F2C4E6A0A780,SHA256=BBA98665FEB6B0813739A9433C394E8ED62277BE8E5CE5F0F867780ED5A519BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.527{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.527{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.226{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.084{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EF835D7E998B9B601FCDEE57C24960,SHA256=8C0D0FDB205025BDFA9216A64AEF29C041A9F79502E79160D3CF26F3928F897A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:02.313{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D302FE6090E533653A13D8C734A478,SHA256=3A90004DA8A27D63D444A62761B953F27E74B70F67219C617EFC787F1F2B4433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:02.242{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6C581CFED386135B87853EA3FB0CC9,SHA256=2CCED236B387EFC14CF33B41EE2ED31BE4B5C3C445FB20E89580A1B253AC2702,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:50:59.723{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53009-false10.0.1.12-8000- 354300x8000000000000000125602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:01.060{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:03.532{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1527A69993A2D7A0C73946724B682481,SHA256=7DCE6A07BD5CD51165DCE1323C3F296AFB8B7D152509627C92CC7732CCA2B842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:03.252{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B0451E0B9808C67345C2F46423936B,SHA256=934E9BAB138563688683E98F4D7E2C1E40C8891FE2CF2C3273F8B87F4B5F8159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:04.562{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F74BDFCC6555AE175E1D1DF2444485F,SHA256=11E4C46740AE8F48C6455FEDC0A1D017FAE41341A29D52924F07E63A10966C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:04.262{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED75C0D7A6ED9D005D5D92EDA47EC74,SHA256=9DAF92ABEAB17C94477482DDF6BCD9FD35CAB4DFDA0625BA5423B819D1AB9EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:02.301{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53010-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:02.301{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53010-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000154634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:03.999{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D735500DBD4755400717F4B8A81FF405,SHA256=971620928692DFE8C2AD616D7234FF4E54124F1316EBDCAECAFE29FDF5AACAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:05.612{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720086FFA2B92789BC7856C5819A3E4B,SHA256=7BEA6695D649526CB72A3D854D6795092180A3B859EE5F1703C2AC70A6DC0DDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.706{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.703{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.283{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C8B55F387015547445F824A2161C40,SHA256=67D88BD7179B4F82A10714E4E2E3252652D66E2B17269585A62D58114D9A5689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.236{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.226{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.219{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.215{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.209{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.205{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.204{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.198{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.195{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.158{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.145{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.140{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.129{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.114{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.106{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.096{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.090{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.081{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.073{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.029{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.027{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000125606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:06.639{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C17B0970F2A9E6A47C254B140610D8F,SHA256=8486BACF5A4F6F1223481437FD352F71777F3061FB1FA0A0EF9D84071BA3226D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:06.287{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D255308AB41F894266E03046A043792B,SHA256=8E9E45CD108935FDBAF68A0DD1F19288C24AD07C5EC711AF5CC7E8F5E279065F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:06.377{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=2A610AD254DE27D2667FCE3000C8ACE3,SHA256=C272216567533565CA9331D1B87F3230F80C63471E6E9A99DAB4CBE2945D05FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:07.717{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEF309A601ACBEAD4BFCDABC93C3979,SHA256=08F4D18BA588E1ECC28EF99863FD9F33B00941D9144611E4F8DBCE4A2919B2B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:07.719{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:07.716{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:07.710{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:07.708{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:07.293{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341109C423108B530E067DB0525995F8,SHA256=927B52EA45764026EC7A67E2C8BA771DDB4C9FD388786A0BDD376F26C6551CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:08.744{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA7241B672EAB5D96F05CE84ECB0F88,SHA256=7D75E25ABEC33B577E1E8DE7FBEFAA127B0702091F60019108119E7AD9CF409F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.487{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.485{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.484{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.482{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.480{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.477{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.475{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.461{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.449{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.447{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.445{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.434{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.430{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.429{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.426{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.422{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.417{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.415{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.415{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.412{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.409{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17BC5B17B06C40AA395B7F82341C7AC,SHA256=B3D84267CA2B2BB978AF31CD6EE0CD74E2EFF4930E0815260910BF5D9EEA5BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.408{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.394{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.390{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.369{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.367{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.346{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.337{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.294{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.278{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.261{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.250{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.248{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.245{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.240{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.237{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.236{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.225{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.224{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:08.222{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000154668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:05.602{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53011-false10.0.1.12-8000- 23542300x8000000000000000154709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:09.909{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF27F9EC13148C50343A667EBC9ED08D,SHA256=0D721DA173ECF488ED674697A21EB8968C9C7AF3B192C861C1733C7E00F3E8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:09.846{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3FBD626D01E96F41D1C6DDBA4D451B,SHA256=38B25ED6CF2F1325084595DD2DF9114F245CFC5DDB23642FE885958854DF4E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:06.087{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:10.925{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F88ADA5060BB62EBA6EBB411C1CF65,SHA256=BF3E4CBB0A0A5654A7F3BA4D091AACCD02A275D7026E7F93A7952D0C6EA6A6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:11.994{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF779320AEA50F99F1A2E25D3A2B31B,SHA256=771079951101350DCF2C7794B7DEA8505E847C821D390E89D7FA15E1C9343226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:11.156{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2509EA7D0C9D9C75563C825EB6823AB6,SHA256=3409CA34B4EC09793687F41DE7E248CF867F35507DAF0EA6412EEA809C20088C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:12.168{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71838515C266CB0B004BF8045B46AA8D,SHA256=C9D264A5693CAAB099E2680EA8331F7EB635B631694B4E8FE6AB674596B198C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:13.276{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419E5B94A949C5FE7BA431CABD7A2B5B,SHA256=F5876F55BBF810AB1C197D49C35E6E24BD65ED3BAE1126435621D5EC8134759F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:13.081{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7653D45D8CF2E1A0558AE57855CE3059,SHA256=D6DD96216FCAFEE8ED8C9D85FBDDCF13B6073CEA78897351066018D2FA734727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:10.745{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53012-false10.0.1.12-8000- 23542300x8000000000000000125614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:14.132{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD72EAC7688A47BDB321C7E80B497F6,SHA256=B21682C1E78A344619A0E565FE1C6AA0702A42D547F2BBC78B598AB69DDBBEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:14.286{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34EA4BC71EF2ABD9DACE92016BF1BF6,SHA256=5D0B88DB90CD0B6A9AAAF3710E71B87DC89E792053FFF84BABA18E3043D1B1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:15.301{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FF6C479A87A3A1F3AB19DE8D2CD99B,SHA256=84178D34F8021AFE9E93098DBD85944A107AE93D868F8CB93AE0F4E6F8B4748C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:15.794{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:15.291{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8A83C62B67457E41ECD15E2AE2601E,SHA256=C38BB08DEE7E7B389711D064D5F78BBBAD2ED1BEEA948E1DB585FBEA6849507D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:12.053{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000154717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:16.397{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F189B1AD9B4B59FBF9CFBF8C7F10CD36,SHA256=75EC07F6FCC87704A243CA848BEED088B60C4C6A049FA53AEC8D95B4D463DDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:16.387{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB492306A09E96A546005A5FC2D63C7,SHA256=96AED5A8EC1DB2853554F446FBB4447FBCAF82DD675C8BD3E4B6E263EF4C0641,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.997{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.995{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.994{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.991{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.990{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.988{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.986{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.983{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.980{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.977{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.971{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.969{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.958{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.951{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.926{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.921{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.911{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.894{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.882{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.877{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.869{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.861{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.852{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.843{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.841{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000125618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.476{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFE559278DD1F14FCDE918965EA06EC,SHA256=E026A5D14960869212F76B8FBB5A47CD069A1F5B7A78E60393A23AD34DACD68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:17.405{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14742D1F62700CD2841F77AE8C7DE94,SHA256=FE232CE79DED6CAA8225D3F5A96A4C27B4AFB389C11CDD9570EE87A7FB5C6448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:15.298{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53013-false10.0.1.12-8089- 23542300x8000000000000000125670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.607{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6B9CBF4AD1F87DEA56A4563F7162FC,SHA256=016838E40E2CB828996E646B0C53D861D485DC33783DF216A64479BEBF95C3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.607{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B4A7F7D712A8B0B090FEFB278A02A9,SHA256=D1FDFA3CF3C0372A68A60C63F8ED094EF0C2186EDDCD8986C9656C3F8DACFAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:18.414{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC9C8527B2647CCFD990E33C8F0AFD4,SHA256=90CF86C53DE2FA3E75E1645B07555BB30C715C6EDC14AB1C655D84A0240098A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.137{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.135{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.133{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.130{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.126{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.113{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.112{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.112{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.109{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.107{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.104{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.102{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.095{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.092{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.075{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.063{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.054{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.034{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.028{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.015{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.010{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.008{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.006{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.002{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000125644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.001{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000125672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:19.709{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691C75D93AE19C9AE897A7179FC938AD,SHA256=3593C3218622734C21AB21D40CA0B6A074D42CFB7176A10A78EB11AB68870ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:19.425{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF7FD75A7B244F146D0856B2E0582D3,SHA256=14A631FF4A9B59552A7D4BE8EE14F836EDC51281E41FAC03145E0F5E2F60004C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:19.064{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:16.687{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53014-false10.0.1.12-8000- 23542300x8000000000000000125680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.810{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50F74EA14D1A22E8D41A66F02269B37,SHA256=D751ED27748411F468E6306FD555AC1F699F7A5463804B7E4E408F58AE46DEB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.893{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FC8-6323-F113-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.891{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.891{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.890{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.890{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.890{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1FC8-6323-F113-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.889{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FC8-6323-F113-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.888{6820D070-1FC8-6323-F113-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.473{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=83D60C0C30E4A684D4AB3AC5674859AC,SHA256=ACD772EAE6406A3A7CA8583A37C090E09A9C56510D5BCF00FB24BF3466BDB12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.437{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549F01E9A98CB0EFF43C8014D0106052,SHA256=22DB42F879E7B5DF3AE14C5446C82EF27B9FA377CA0FEC882B60B3481F915DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.708{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.708{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.239{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.239{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.239{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:20.226{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000125673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:17.136{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000154730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.228{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FC8-6323-F013-000000007402}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.226{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.225{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.225{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.225{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1FC8-6323-F013-000000007402}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.225{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FC8-6323-F013-000000007402}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:20.223{6820D070-1FC8-6323-F013-000000007402}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:21.867{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177FB4AC3E73B00F584B5D5F57968116,SHA256=DF3FB9365FB1CAD98E17F542C1ED8CF26E89E53CDD7A6C886FA400E927B25DD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.780{6820D070-1FC9-6323-F213-000000007402}54846276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.560{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FC9-6323-F213-000000007402}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.557{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.557{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.557{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.556{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.556{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-1FC9-6323-F213-000000007402}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.556{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FC9-6323-F213-000000007402}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.554{6820D070-1FC9-6323-F213-000000007402}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.449{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99757CB01C60C8E0071998AB419228A7,SHA256=DBF9AEA6D0E228BF51D6CBD0C106D862B44EE2C780F45C3620BF2C011F28F624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.440{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E280C2D9503876673DD6DF63D2F7F6B9,SHA256=2BB8E2DE698DE9B4C859DEA4B86606DC4B9B8B8C06ABC3A6DD6BBF2325A5924D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:18.014{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000125681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:21.109{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=21525AD393CEBE7D41DE2E6E6B9FEE6F,SHA256=A7A70B27BF8A5CC480A99D5C290ABEAF2FB23837D49D2F840A53EA8288BDCB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.082{6820D070-1FC8-6323-F113-000000007402}11167632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:22.928{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA838F647F289AB7947E780C6D89EC9,SHA256=45C6014A8463D15D65FC098691E3B7630E83088BCBEC98BE9C7AC6FE3E47FAFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.903{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FCA-6323-F413-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.902{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.902{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.901{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.901{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.901{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1FCA-6323-F413-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.900{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FCA-6323-F413-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.899{6820D070-1FCA-6323-F413-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.463{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EADE6113881C8671520B49CC55D7E2,SHA256=735C853CBAA11AE4B7C09C35DBEA47816137AEC4941249745F0BE3B5F6AD097F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.239{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FCA-6323-F313-000000007402}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.237{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.237{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.236{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.236{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.236{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-1FCA-6323-F313-000000007402}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.236{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FCA-6323-F313-000000007402}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:22.235{6820D070-1FCA-6323-F313-000000007402}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:23.972{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D00831FC2FFC8E64AFDA3076C86A70,SHA256=3744134CF57BDEB49C11E114AF76BC574AAEE68497ED77D526EAF6FD6BA4A648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.774{6820D070-1FCB-6323-F513-000000007402}56727744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.709{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DD28822EAE30F996D3E6DAC73A4A92F4,SHA256=31D72B3B24A176E137DC4A3D7A4D8945207C8AD71D3E1124EEFE11CE975B34E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.584{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FCB-6323-F513-000000007402}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.582{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.582{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.582{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.581{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.581{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1FCB-6323-F513-000000007402}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.581{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FCB-6323-F513-000000007402}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.580{6820D070-1FCB-6323-F513-000000007402}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:23.474{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFD6A362419C993E19BD944E3F9B0F8,SHA256=F5064802D45043A5AEAFCDFA531467F5B2FE7DB088004D4F22A96BC28FB22A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.490{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99E3EE205C9918D127DA48B8C08361B,SHA256=C1E6C1B62201EC3F1E517D5B2D900C9C868EE8296D8A69D8FC953F8F230A0BDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.404{6820D070-1FCC-6323-F613-000000007402}79887248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.194{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-1FCC-6323-F613-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.193{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.193{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.192{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.192{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.192{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-1FCC-6323-F613-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000154783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.192{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-1FCC-6323-F613-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000154782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:24.190{6820D070-1FCC-6323-F613-000000007402}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000154781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:21.697{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53015-false10.0.1.12-8000- 10341000x8000000000000000154815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.579{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.577{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000154813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.502{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E44293B1A5805ADCB1625ADB5180AD,SHA256=64513C17D97B3B80EE3D7DAC6E7B42F3B61A6B4F3773B7DF4849FEEA75D9ECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:25.050{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7DF439CD7B865D59A75BA0001570DF,SHA256=2C9844808429CCCC2E91748F55A31024C5A0DD061C425FD8E0830CFC8B464F95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.208{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.203{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.191{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.187{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.182{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.179{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.178{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.176{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.170{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.139{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.126{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.121{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.115{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.105{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.098{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.088{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.081{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.073{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.066{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.029{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:25.026{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 13241300x8000000000000000154826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000154825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x012c5669) 13241300x8000000000000000154824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8f9-0x7c3a7dbe) 13241300x8000000000000000154823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c901-0xddfee5be) 13241300x8000000000000000154822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c90a-0x3fc34dbe) 13241300x8000000000000000154821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000154820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x012c5669) 13241300x8000000000000000154819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8f9-0x7c3a7dbe) 13241300x8000000000000000154818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c901-0xddfee5be) 13241300x8000000000000000154817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:51:26.691{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c90a-0x3fc34dbe) 23542300x8000000000000000154816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:26.510{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4726E8C7E8A0985DB2DC2FF080E423C5,SHA256=F005EA9B1587A69E645D9BFA0E5AA577BBB25F222334B8462D637863551F5407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:23.119{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000125689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:26.352{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:26.352{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:26.134{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA726E5A032F001155874178337F8C03,SHA256=7E5757BEEFE1D87775016EFDB028975903DB6E621855435B87396DF46E19DE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:27.592{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:27.589{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:27.584{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:27.582{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000154827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:27.522{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7844B8D8A21AA3251F9BDF7F8B7C65D4,SHA256=527615B1A4D01C50165C1C9BBAA7052718D317E47415ED66D08EB0F5A5D690D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:27.678{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:27.678{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:27.220{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC12A5A55283226F016017F28D5321B7,SHA256=F0B87354E176D8E5340EEC71212CD0D073B2EA6F4ED2E345647ECFF8E5EEADBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.786{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E75E76DB8F7ED31F0CC8E9E820B665,SHA256=B357917FA013A3A1F8D9D0DFB2FCA6E57AF749A7C6F9BC5BC4407B0AE6BDFC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:28.279{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193618FE3E1C2D5342F86D5DBDC3C2F5,SHA256=7878173DF6EFDC952C2C2A171C0A321687B0584F78289520ACD554598F28A332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.360{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.358{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.356{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.352{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.348{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.346{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.340{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.320{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.298{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.294{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.291{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.275{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.265{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.264{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.250{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.244{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.239{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.238{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.238{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.233{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.232{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.216{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.215{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.197{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.195{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.180{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.172{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.141{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.133{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.124{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.119{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.117{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.114{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.109{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.106{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.105{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.101{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.100{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000154832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:28.098{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000125695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:29.340{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DE53A32CF8E0FF97252B74D3022C31,SHA256=3FF2FE8E56F9458C52D9A112F0C09A2727F00362468F301D38E4DACDAF11E4D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:26.707{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53016-false10.0.1.12-8000- 10341000x8000000000000000125698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:30.883{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:30.883{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:30.410{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0861B5D639CB3EF588E4A24C7133E9CE,SHA256=4F62A5E442BDE37CD4CA7D4AEABE3B276F6736E2E80D988085DB3EAFF41742E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:30.059{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537FD1B8DBD2607E927FC8358F233BD3,SHA256=487E3F77129110FED1ED38785E1ADB79635CBF57D5F02546486C19C44EB8B0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:31.860{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-309MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:31.464{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494E26A4EB1D05AECBF182D84CC5793C,SHA256=1B2E36D84C3D408160CE21690B6D83042E77C77AC7BB700C8C8D12A451F215F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:31.128{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A66B4AF6606BDCA7117113DF44C58699,SHA256=6FF7EC5766453675F55837A7227CC6E77EF6A3CD69F75CE277CEBE17435C24CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:31.068{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6752E6DBA55DFF594F0A5A7A0BA98176,SHA256=B1162BE5FE6BCB6E39BBBDA9DD1784693ADE265636E96C87430D23D5864E6262,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:29.014{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:32.860{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-310MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:32.529{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A72B3556C72B460DEB3D136657F458,SHA256=58FC1CFF8B46008BF9B13FC1B5BB8E5A3A02CEFAE8FF2C8C9937772C4E522D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:32.078{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6949386C1B93BED8760D15787F5BA298,SHA256=826332A8DDBC61E56FD280952F9E1485C48A3AF7436C0C093152288CAD4207BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:32.386{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000125704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:32.386{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:32.386{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1231fa6.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:32.371{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\aborted-session-pingMD5=C52358C1CFFF56754A5DBB12BBE8E00A,SHA256=E21FEB58AC99D8B1AF6F35D28E10BC7D3454BD7E791385CBD67D4B0B22D538A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:33.621{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425EA9325F630E2BE222FF6D23E34B3B,SHA256=F67D5EABE0DAB8828FFA18C1E8B272BE64382EEA1276437C82265AA4744004D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:33.087{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDEB795686C15A4D7B72FF42E2F1F5D,SHA256=766744D52844F5710DB6A111E1A410C5C6C986DAA1F0B662D523DA05E541E9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:34.741{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3D4946F8F8021F4C22920AF82B5E1A,SHA256=E585621072287BF5CF2F148BE23C4D7505A109C89A17A75FEA24B5710AD8BAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:34.093{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC2DCA8A6DBF569F4FF9E993E2D59FE,SHA256=700F996FEA6236C4F72D280E1C5DF3D4E5A48AFC6CF4BE9370947016718CB7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:35.773{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F712AE578D078F02CD9235EA618353,SHA256=77C07523650247932E200E496FF068BB2B584876DBA7DEC516C2C3925626FA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:35.300{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167C436761A1B1946696B9113B5A28B8,SHA256=D29AE16B4D3CFD0DB3BFA6CA187C78D2F2F66D7DD101A6B378242B312865E417,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:32.550{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53017-false10.0.1.12-8000- 23542300x8000000000000000125711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:36.805{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94741C7B93AEA792D58A97A4807F7A82,SHA256=0E3E3E0EFA1D54B88A63C9620BDED9CC588924839B3BA093E2E1525C504627C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.813{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EC-6322-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000154883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.705{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.695{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.308{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAB8C453B0834E35909FB6A364F2971,SHA256=BE2111DCF67B91ABE9DCD61783C13B7CF13122413E15F77F1F322C376A0B9FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:37.860{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F1AE169AC5C66623C719CD86DC86312A,SHA256=D2D2CF1E952FDAC1BB94BF92402D6CCBE4147BB2A3888207BACE3CD396F0CF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:37.777{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2CB3A2B4EE5781921D67F8D46F3B01,SHA256=043A36404C01EF8840AE40EDAEA3B6C3B155699BB6E793DCD874F3F27A64F807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:37.320{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00D66792781C19C35CD348E25CD81EB,SHA256=84CC86D380C53D5701FE22F11007942879FEED6D776960FB947608BB0F857DCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.997{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.995{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.993{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.990{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.986{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.981{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.980{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.978{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.976{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.975{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.972{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.969{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.966{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.963{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.957{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.954{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.943{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.936{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.911{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.904{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.896{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.889{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.877{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.870{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.861{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.854{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000125716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.849{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3276DFF634C20FBD29A5524FAC4109E3,SHA256=F95ABC18E0E3129F1A52C22CFF9FDD2AE15B2A6087F91D59B72423440B7DF04E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.845{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.834{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:37.832{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 354300x8000000000000000125712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:34.169{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.885{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863AB4C94BD5877AA8638ADA845B93F9,SHA256=21854F78EA614A51A7ADB4F1D79ADE325BF3287EB98974D5CD17A68D83218EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:38.332{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E4410789783F9D73F2FCFA1D075FE8,SHA256=F810A9A5FDA8E27C8B29FD64AE327AB32262CDE53F1E62CF1AD42C23D964B76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.732{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=77CDF0146EE81E6359BA817B2E76405A,SHA256=DCDB8684A92B103CD374B17989E70C8A1B86828D980C81F9C7DEE5A88BC51116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.203{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E7EB4423E69E39FE32F5C03DDD7694,SHA256=D980262567A33E86B44FE07BECF8C21719E702A16DEC2721A21A8B29018DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.131{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 354300x8000000000000000154893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.321{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local53020-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000154892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.321{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local53020-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000154891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.215{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53019-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.215{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53019-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.207{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local53018-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:36.207{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local53018-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000125762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.128{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.126{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.123{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.122{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.109{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.108{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.108{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.104{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.101{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.098{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.095{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.087{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.085{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.067{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.055{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.047{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.017{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.010{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000125744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:38.001{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000125767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:39.934{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC766D1313648B3C026867086F2F89A,SHA256=14B5FE5469744C114F6F86D117B2C8FD5B2B3EABC2F86674DC405BA38AF9E9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:39.439{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596BD44CB8A1BB2302B938CFAA151C3C,SHA256=12328377F437E8D04C79FE6D84086471B385BE82202AAD73E395A3D950744DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:40.650{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821C7F43903451EF16E6A135A90513F0,SHA256=F5028ABC1CD58E876BB5FADE2EFC30DCA8F0ECB8D20F272F1EF07B03C132B172,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:37.603{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53021-false10.0.1.12-8000- 23542300x8000000000000000154898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:41.659{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7CB69031F9BC5273499743D29A8376,SHA256=013F1A45ABA8928A76BE78B7924AA74AD54E4856A46A1A04DA694F17E22D4065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:41.008{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB378DF424FBF3FD4C38D3A668648876,SHA256=A45D1B937F313919989F3C630BBD8480C303B49B1946B823EC31A14F39B56CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:42.667{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5ED2BDC39206CF54C87AB2CF1849F9,SHA256=5AB984860E876CC0D5DE7A781064BD4A808206029C34309933352F873E530598,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:39.179{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:42.069{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0B3845DFBFDFD9B0C5C380FA002C11,SHA256=17373B7B437699F4800AD3076FD788FF7C8F90E6803185586DE58719F49791C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:43.677{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BA70B9AFEC2055D60118BDEAD93F87,SHA256=75A2BB46B08A62CD025EE2D91FF3C8D0CE1E21C4FBD191A9A358ABD3BC84A0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:43.155{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF02A3B10650875A74EAD5E42ACF6A,SHA256=6CA12DE4551217032796C72D1599A0150345C24CC24F54ACAF847A0E8CB9218D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:44.686{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DC8D5DDF05BF2298469CFCC2895B1E,SHA256=5B7D573A3F874344AD77F9BB9659C346F86761735F8E18631EAFB3230E2DA3B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:44.301{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:44.301{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:44.191{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A853192C2D62842632DCC691E3ED814,SHA256=9E35B1E12FDC696C953EFAEC096B33F6359F71C8C0FBDBE40F3B41A3520DA3CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.703{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.703{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF921D2DD30790DF0A5BF0D9540F70B,SHA256=039B5128AE927127641766C16C2FA6044D8AF91B81F6033ACADFC95A9836279C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.700{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000125775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:45.219{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1944E08E6EEC7A013B280B69F011AA8F,SHA256=0DD62E99D7C15E9E8D158DE093528BA03D9E8372E855670743002366CB141039,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.239{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.232{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.220{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.217{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.211{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.208{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.206{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.199{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.194{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.164{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.149{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000154912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:42.703{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53022-false10.0.1.12-8000- 10341000x8000000000000000154911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.144{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.138{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.130{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.113{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.103{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.097{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.086{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.078{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.038{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:45.036{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000154927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:46.712{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B45FDAAB32501C387EA933A587ABB5,SHA256=1A5605773561095FD1FAB556C7761D8E074C60ED16C82720F4971AB94D8291EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:46.279{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F1CF73CCFFC260A545DF42C5A126B9,SHA256=B30BC02BEA95C477D04968CE67262D362A13488876D64DDB631CB1EB446788FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:47.725{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F1D83C769A5A8E7862F2E852040CE2,SHA256=05679029B6D22D62AB780719C941F105430A445D03D18CD880C6CE0A33DBDA86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:47.717{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:47.716{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000125778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:44.191{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:47.323{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F013EBCDC2B2AE373C7FDB233C23FE7A,SHA256=93B4B44A08CE866C48CABFEC3D5F55510FAB674C92702D7A27F413271E636E5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:47.710{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:47.708{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:47.685{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.652{E743DC12-1FE4-6323-C20B-000000007502}15364880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE4-6323-C20B-000000007502}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-1FE4-6323-C20B-000000007502}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.452{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE4-6323-C20B-000000007502}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.453{E743DC12-1FE4-6323-C20B-000000007502}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:48.425{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AF8F5A724B269C161A7C1DB1173A37,SHA256=6B3C6FEED648956E18277ACAD5E70ABF0DED2A5A0DBB801F58655D32E3BBF8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.661{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20A585452102A329416598D2BE87C187,SHA256=284AF9C22D14676B078B1E8C4B69AA823F0BF9D1701C793CC5FF21C631C4F909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.498{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.496{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.495{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.493{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.490{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.488{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.484{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.469{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.455{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.453{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.451{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.438{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.434{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.432{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.429{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.425{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.421{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.418{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.418{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.412{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.408{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.399{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.396{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.367{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.365{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.340{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.321{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.276{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.267{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.252{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.240{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.238{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.232{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.231{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.229{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.228{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.223{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.222{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000154934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.220{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000125807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.975{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=381B2FA0C522B4C062841231C8AC392A,SHA256=AB5E189B11C8EC3DE7A12732401E48C5D5E1EF34FF6A6795FBF7DB27A3412BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE5-6323-C40B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FE5-6323-C40B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.787{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE5-6323-C40B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.788{E743DC12-1FE5-6323-C40B-000000007502}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.557{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49643D6B0D29C9F54CEBB1AD7C4AD351,SHA256=9BB7A78C9703128FFCA823F9A6504201AC4203064900CFE1710717E71A1EB4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.486{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A975BA6333713E6D9374EC01130B98E5,SHA256=33D6C065C784D9E23DDFC3A9001DFE95D236B3CE3644C0E1CD002244F3233CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:49.160{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EF43A45BAF44E6CC28BECF76409A87,SHA256=D8CC6220335E656336468DD6085A898193F5DE83CED6E248E450ED3636AEFF69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE5-6323-C30B-000000007502}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FE5-6323-C30B-000000007502}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE5-6323-C30B-000000007502}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:49.111{E743DC12-1FE5-6323-C30B-000000007502}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:50.258{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046B39628D63982B8B6D37763F193E75,SHA256=4C28640D5A27388CD9FE6B91841C8A142F423A6C6B374E5BD414F6A7B61CE252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.614{E743DC12-1FE6-6323-C50B-000000007502}19045160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.556{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AD3D7509280DCC3187163BE3AC8778,SHA256=83B3DA20AE82C864F9C29D52EAD981926E983EC5DB74FD0420BE420E9FF10767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE6-6323-C50B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FE6-6323-C50B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.456{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE6-6323-C50B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.457{E743DC12-1FE6-6323-C50B-000000007502}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000154977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:51.269{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDF62849AE370589F966B178C5CE30D,SHA256=570DA98ECF65BA57A916A75FA8F92318D5B2BF22FEB990C21071808385F3B79C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE7-6323-C70B-000000007502}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FE7-6323-C70B-000000007502}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.674{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE7-6323-C70B-000000007502}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.676{E743DC12-1FE7-6323-C70B-000000007502}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.610{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E3F8B5E3B7958DB79AFAC7C55F6F1D,SHA256=047416718FAE14E65C1B1DA90058E03C63AA7D7508222BCB49DFB937F39D68E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:48.578{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53023-false10.0.1.12-8000- 23542300x8000000000000000125827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.431{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=723E23BF34700D4F377A7B4C77161E1E,SHA256=E5772CDAB1FDF06CC33034CA7CCD3DD9FE1BD91185298FB71F2E2FECA5CB8C70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.242{E743DC12-1FE7-6323-C60B-000000007502}36324276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE7-6323-C60B-000000007502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-1FE7-6323-C60B-000000007502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.057{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE7-6323-C60B-000000007502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:51.059{E743DC12-1FE7-6323-C60B-000000007502}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.676{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013D6A6B42D777B5B092AAAAF149B593,SHA256=BD62B5ECCA5C2D50194D02EBD709DAB8380E7D1688287B99C3970D995D7797AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000154981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:52.602{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000154980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:52.601{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:52.601{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF12cbb9c.TMPMD5=1C1390FB7031B53AF8B5015FEB516BB7,SHA256=7E9DB3FA9C07EFD7A9158EE7BC0183A5F15EBC556C75A7245F742DAFF3D723D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:52.278{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A76E2D2CFD1AF58B42BF29629ABFDA4,SHA256=E7BA990E26FDD0CCBEAEBF87AFBC2479C1A9167643AFB8BE80AE80B5114C08DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.476{E743DC12-1FE8-6323-C80B-000000007502}46841680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.312{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-1FE8-6323-C80B-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.310{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.310{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.309{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.309{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.309{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-1FE8-6323-C80B-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000125838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.309{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-1FE8-6323-C80B-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000125837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:52.308{E743DC12-1FE8-6323-C80B-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000125848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:53.735{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C682C563517481BF961ECEB7FFBEA4F2,SHA256=93958F0785E2F6FF646502320EE5D9BD9F82EBAD0626B7317BC27BAF7414D43A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:53.947{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DC2A6489242D31AAB948EEB1B361EB61,SHA256=CE94EA0416DEE03467C8E24FAA689750DAE1A56C2630B9DC42FDE2A3615F1DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:53.285{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805D263C932AEF0864C44BF21CF4E952,SHA256=6527C16F41AD7CCCE0D5482C75BC9CC6A86D4D025D1F8DEDFC1E062D239F0D4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:50.063{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000154982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:53.165{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-319MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:54.881{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823C3585B20A5957D27E9488D1ABB294,SHA256=76114A56460566F97E839EAA003C0A703BE90E7293D1A5C41A721A2E58D3DA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:54.392{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC77988E24B9FA1273CCB211A07D94A,SHA256=3BEDC546807314ED6B10EFDEC6C40F2CDFD540B2F854F97D180BF06B185248DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:54.163{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-320MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:55.989{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490799FB39887F2EA051B413D55C7D81,SHA256=7C3A3A3F00F4554915483B9EBC804E35499CCD17DDD0DADCDD59A675750EDE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:55.400{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156B1DE1DEC45B9B3F63B98F0FC93BDF,SHA256=5A2346B0FEE74C0FA34C91F4A336D826627041A47CB32A754B585C7D949BDC95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:55.339{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:55.339{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:56.408{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B510C7FBA47AF408E9A03A71F8F5F41,SHA256=86BABED73FB7E417D5B8E02C959E605AD825F25D6BD0D618B3D872E31F6D4A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:57.419{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9874582A4FF4A6838D34593D1F7D7835,SHA256=F87A37A5D572FE45E118BEF2CC78E202F17913B8100349EDB264C51FA46BB169,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.996{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.992{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.991{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.988{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.986{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.984{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.981{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.978{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.974{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.970{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.962{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.958{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.935{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.927{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.903{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.898{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.891{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.884{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.873{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.868{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.862{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.852{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.844{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.837{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.834{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000125853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:57.017{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4695CC0D47D935DE308646E841E2E05D,SHA256=6E834DEE6603708D94459D140C3C0F0427ABB90F810E9EEA5DA57DACFC04DF21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:54.542{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53024-false10.0.1.12-8000- 23542300x8000000000000000154991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:58.428{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F070D83A28EF47E67C517A86BC162,SHA256=A1BCA5FE3884BC54F2C2718876487DA728EF19E4E8E85AC2E7B6F26EBA104267,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:56.066{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.243{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B216FA211E1DCB46BE7502B7DFA245,SHA256=15C7A1790BFEC94D544093A0E90951F59BE73B1BAFA3CA0F98E98DA69A5AAB42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.147{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.145{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.142{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.140{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.138{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.125{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.124{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.124{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.121{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.116{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.106{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.104{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.088{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.077{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.068{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.039{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.031{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.018{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.008{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.005{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.002{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000125879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:58.000{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000154992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:59.436{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA7D74D48D2EDD44F1729A0348A2BAC,SHA256=8C55F11DB74B09F1B1E654A627D1B6435E6CA6D00BC14A03333739CE9CBBE8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:51:59.077{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0266049156C1011F540B97166D7A986C,SHA256=5B656977F8467CB263FB021EF71910968E9B93288C1A3D5E3E3FEFA1ADE41E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:00.748{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CEFCF9EF151E72B87A1F2105B1F61C,SHA256=E059C9BB2FF360F8AE5770978D594A13DC606EB9E14177029174E37D1B559DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:00.129{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47F268360D4C624EBAAC3FB1CF4FB51,SHA256=10E1DBC011F2F379515B03E4036289B59CC89FBFF819F8E1F7A61696E17C2BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:01.757{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F749F1314D1FE289FA84DFAA7F136FB8,SHA256=0330B0A2A5659A382D8D8A9867B83E0D89B1200EC2FA05E44D4E09F78ACD910C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:01.188{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9F64C4F5DDEAFBA18589C0483F694E,SHA256=EAB22790B5156DE9F3B27AAF7BE4C84A3855547ED1103F7E706D5EA086D1566A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:02.868{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7259653ED7AC072B2AC681663D834123,SHA256=C0636B971DD6EDFCB075876F2A2AD37C255C70E1CDF4F0C4D63B8A65F8DB4B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:02.226{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B447DEF55BCB903ABFB794F9EF2EE5,SHA256=511854EFCCA24255AD063AEC8E67F9E1FB7B023FC8AB5AF348CE1F7E5E24434B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000154995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:51:59.593{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53025-false10.0.1.12-8000- 10341000x8000000000000000125910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:02.021{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:02.021{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000154998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:03.879{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=204B222D0AB1521D4C71CDAB1227D8BC,SHA256=D1069078F632C17F95497EC70B8475BFA1F068FB1C360F1E8B7E4810E1679306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000154997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:03.876{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF93ACE832BB026CB698472DDE726D9,SHA256=1152A244298062E5B61B19EC9EADD0290B1E2D7F788177F4D1CA20E496E41710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:03.291{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B094A1BB56EBACE61EEDD258E4E8D8,SHA256=95362E181B3C39601D1FE32A2E00CCBE1ADF4CD6925C5212F0206535490562A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:01.077{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:04.392{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97140FA46216A484778BBE68B49419A,SHA256=7E1EBAD1470528E988BA85532875DAE16708B41FCCA2C7A19A5EB8BB20F7E50C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:02.301{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53026-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000154999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:02.301{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53026-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000125915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:05.478{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9B989CF9DCA87DFCE2979E6662B88F,SHA256=CED2040E431E7ABBA2C1FAD127FA6293040AE1ABCAC23077727C5FDE0B0A42AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.685{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.684{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.246{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.236{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.224{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.218{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.214{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.211{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.209{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.207{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.196{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.164{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.148{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.137{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.125{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.115{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.106{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.097{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.090{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000155005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.087{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688832993363B72FBEEE564EF4801568,SHA256=714A979C825DE203C685F9559F481739EF62D215C014DBEDB3CE8755D9CBB9F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.081{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.074{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.032{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:05.029{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000125916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:06.579{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C2D05FB2E7D5A3385C64B2B3FD42AB,SHA256=FC459DD72370B757605798E6201158DFDBB6ABD3091FA23A490DFF2884BD5914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:06.198{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B0C1AAFB3C6420F7634BF9824911C0,SHA256=A78A6CB1F769E8510D76825ABF9E442A74B70F2843DA25FA2D926AAF1EF0F0A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:07.780{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:07.780{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:07.712{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B60F74653F883E4CB3A7464BA46E15,SHA256=2E83722DA7FDB2F266EB4F564DFA1D92F49BD254FE612017549B82941F4C97B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:07.702{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:07.696{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:07.691{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:07.689{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000155027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:07.210{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9EEAAC32CA6BE28BBD40EF2156BF61,SHA256=AF72823BDB0CB60AF700984930374EE153BAD285638B7D46A13CC5A79215212D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:04.699{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53027-false10.0.1.12-8000- 354300x8000000000000000125921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:06.185{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:08.784{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD32B21B74C72CB1372D7B8D9C6EB2,SHA256=57CEB785C615D920D5844A40021CBE487DEF4D31C05BE594DDDCDF3D27F743DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.464{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.462{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.461{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.459{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.457{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.455{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.451{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.439{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.425{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.423{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.418{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.401{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.392{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.391{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.389{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.385{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.382{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.381{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.380{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.377{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.373{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.363{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.362{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.338{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.336{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.316{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.301{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.262{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.254{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.243{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.227{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.223{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.221{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000155038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.220{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B309370CA1314EB2B864CF59C177B29,SHA256=48F529E5CEC401A5C135EE87F8FFD7AE282B583AC62F5C6AA488ED4EE1FC72A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.218{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.216{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.215{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.210{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.209{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000155032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:08.207{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000125922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:09.859{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE873DFACECB115722FDA574A6FDAC0B,SHA256=1EB28B963E8C244DB9E280574FB16902F4C136F31FF1E27431EBA637FFF6A9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:09.527{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE24DFD2F0F71C3462B8926A221B9EB5,SHA256=89C76796B6EC8E79885B5DB21216E05097BD2F3BF10350226B78FCDA6BF4E8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:10.917{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A121B9AE288FBCA1DA99C4B093D37134,SHA256=0A326D8F1D4191CE0AB47D01AA0ADCA9C2A115FCD7EAF28C71B251877E017A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:10.756{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC04184E4BDC35307AE214180AC03B66,SHA256=BE5E0596439FA5AE816A602796DD05192C09EF5F7D22D03082CE45A3F46B0172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:11.987{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB6818FE1D8729276A42BE85212C1C4,SHA256=537E9CBFDAE2EC8ED79D712CEAA9160BAE8DC0E0FB0CB80898F173462CD07709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:11.777{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A69C7DF9C3C11C9A7D48C438584AB2F,SHA256=A383FAF2952AF7948378A92B2F769BD759B1BD9AE0335BA29389D7FCE20B5983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:12.890{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4181829DD60C06FE63AEADB07D9A1993,SHA256=E7EE6393FB2962427BD92FBBB7E116B770C28B66C6D28AED5D7CC04B38FC48AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:10.546{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53028-false10.0.1.12-8000- 23542300x8000000000000000155077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:13.991{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CC6A4684395C72A7D7C8735579839E,SHA256=21948D8E35BE4E36C2D347757C96E766D8924E02DCE66207C7DE13F021CA4DD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:13.463{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:13.463{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:13.037{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90954FFE1394FA4A5100FABCD9C38C93,SHA256=04F92447658F4CD861C2E2599AEDF9DDA87ECB771071448FFF45CDE31DA20187,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:12.134{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53721-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:14.121{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A140C9D65776F2757096D84312FB384,SHA256=4D9D4D276A43DE3EBBD638A85683C156B36A62A4C331D80A1AD019CDFBFBC13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:15.191{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EB933F36AE0177D7CCFEE7D139EC02,SHA256=B78E90CFEA4AA129D1FA2D6D1B538EDC67F3DA037C67AD16A87797A635F18788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:15.813{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000155081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:15.433{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 12:52:15.431 23542300x8000000000000000155080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:15.433{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000155079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:15.431{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 12:52:15.431 23542300x8000000000000000155078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:14.999{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5122EE1A7BCD324F11CED4E257C75D21,SHA256=2500EDD24307F130FFD1F2667E2C87879A49A84E340F2C37CEC7709EE89F9F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:16.292{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC93728866121C0EF7F39509CFB7F792,SHA256=89F6214D4381141896D9033575C85D377B505DCEC78862A9CFFBA895C46FAC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:16.015{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CF0003AFCE1EB400DECAB8DA540CB8,SHA256=F2FD4BF6AF0E0A04C488B60482960F9A8866E8E68E4878446079B6C014A801FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:17.226{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CA24FFA1CED3C5EB512321AE74B738,SHA256=6930AA1A0581F6ADA6527C4EB627610A7BF2B919E1B0B3FB196BE952B9108B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:15.305{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53029-false10.0.1.12-8089- 10341000x8000000000000000125945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.991{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.984{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.950{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.941{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.926{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.910{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.896{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.891{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.882{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.866{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.858{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.851{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000125933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.848{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000125932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:17.324{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1D604AC75E8C7FB4CD4EF41EEFE884,SHA256=502A8F56F25A3180239B42B63EDE7975F4515AB41A62A1FBA128DF400EC4EAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:18.236{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5254B4FB549CC86BA63E0D295C4DA4B,SHA256=40CE5EF1ACD972912308C5CB5C4FA143410A123BC3DB8AC7BB6F37EF301F9A62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:15.694{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53030-false10.0.1.12-8000- 23542300x8000000000000000125984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.411{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C15F58A72B6325F9D7140656C6285E,SHA256=F9F219F84055CE8AEF96535A80D51A060C1446C4E9F2ABC8EBF4BCA9944274DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.325{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3128DE3764D016F9C803B333202AD38,SHA256=F792B6B37874D21DE303106FA858238C63A16AAF60DF51AA73EB47D882F2B713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.175{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.173{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.170{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.168{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.166{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.155{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.154{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.154{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.151{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.149{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.146{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.144{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.137{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.135{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.119{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.109{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.100{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.078{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.070{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.059{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.054{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.053{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.050{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.046{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.045{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.040{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.037{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.036{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.033{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.032{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.030{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.028{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.024{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.021{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.017{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.006{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000125946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.004{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000155088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:19.247{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88899795A867190ABFFD2B13AB4757E7,SHA256=763CDDD3E09446C0AA58B0EFD0D4E7A938B2F4C3B13DD7E89714B61E321822A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:19.496{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C3D272C84F6614282CC3649258EF27,SHA256=652040F285C76444A6F11F2DB544542B37759F8B41868807EA927064AAC35F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:19.095{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000125986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:19.095{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:19.095{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:20.597{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=671E16E772539E98172AEA07B0FD8E87,SHA256=59241A92907CF07DAC8777074B71B50FC929B1CEAEC7A69B6A8DF2396E18D4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:20.570{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D594F6E6CF5A5457B2C977A7A196CE,SHA256=FD28948079E83A25C44664F7B5627F046FFFD006381E99CA0EE2F6F41298C382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.800{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2004-6323-F813-000000007402}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.790{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.790{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.790{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.786{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.789{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-2004-6323-F813-000000007402}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.786{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2004-6323-F813-000000007402}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.784{6820D070-2004-6323-F813-000000007402}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.782{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FCC1511A36850AA39854FD478885D8FF,SHA256=8C3C5DE6113C83F5B80DACD7B2383269409195EA5105DF764B95502F6A9DD65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.259{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5BBF3C949D58C4DEF58878E98E5FEA,SHA256=43C2636EEBC8B2E69625EC1C7FA5AC951FCD15E9E0A7E5E4592FFCC3DBF2A42E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.235{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2004-6323-F713-000000007402}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.233{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.233{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.232{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.232{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.232{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-2004-6323-F713-000000007402}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.232{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2004-6323-F713-000000007402}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:20.230{6820D070-2004-6323-F713-000000007402}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000125992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:20.243{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:20.243{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:20.243{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:20.228{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000125998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:21.629{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84017BAA51BADBA4792F4310D4F06C5,SHA256=6B503E35520391707ECE9D7A52E8AEEBCA2312CB35CC2F9D802D21F8DBFD65E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.994{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2005-6323-FA13-000000007402}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.989{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.989{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.988{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.988{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.988{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2005-6323-FA13-000000007402}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.988{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2005-6323-FA13-000000007402}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.987{6820D070-2005-6323-FA13-000000007402}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000155117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.479{6820D070-2005-6323-F913-000000007402}7372172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.318{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C5E811A3A3DA5B1B7C8A7AD23F906D3,SHA256=A778F7CE3C1A7A5315C1BE0F7299F48AC4D1817C8845B263A84AA46BD0EEA782,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.308{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2005-6323-F913-000000007402}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.306{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.306{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.306{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-2005-6323-F913-000000007402}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.306{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.306{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.305{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2005-6323-F913-000000007402}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.304{6820D070-2005-6323-F913-000000007402}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.271{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22725EBF1801C709AA4CC506DD6B5AEF,SHA256=39F7E1011D8DCEA22D64DA78F10960B9CBD1BD55F8E1BF4A90524684BF4A336C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000125997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:21.430{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=941AC353C953DDFCCF4EFF41B73E6E71,SHA256=2A1263BA223A642C5892B87F1A1AC447C4FB4B221931C26085F79B302DFE3EA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000125996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.041{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000125995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:18.018{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000125999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:22.730{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FA9A952999C425F220379205EBACE6,SHA256=3CDECBF08AC8859587288EFDB3F8F8F247AB5F2A5712D4E22FACE109F0564542,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.822{6820D070-2006-6323-FB13-000000007402}81726480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.657{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2006-6323-FB13-000000007402}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.656{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.656{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.655{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.655{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.655{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2006-6323-FB13-000000007402}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.655{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2006-6323-FB13-000000007402}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.654{6820D070-2006-6323-FB13-000000007402}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:22.287{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DAB7884139C6B2F3AC5A82F7B442B8,SHA256=4CF65D3395205E9EB6C71D846D699E2975A1CF6BC7B5847E893B353293D31434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:23.786{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC49E5424478AF51E58518B80A4C4B,SHA256=C8D15F39F971467E384D96D8BC759230A2C761DB7ECA978CAF4AC8DDAA3FF0F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.925{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2007-6323-FD13-000000007402}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.916{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.916{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.916{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.916{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.916{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2007-6323-FD13-000000007402}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.915{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2007-6323-FD13-000000007402}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.914{6820D070-2007-6323-FD13-000000007402}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000155146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.505{6820D070-2007-6323-FC13-000000007402}3444588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.323{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2007-6323-FC13-000000007402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.321{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.321{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.320{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.320{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.320{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-2007-6323-FC13-000000007402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.320{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2007-6323-FC13-000000007402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.319{6820D070-2007-6323-FC13-000000007402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.299{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F5ACEBD98B701D661066F5755592F5,SHA256=56608560B8CA2DA26E6C842FDCA6B43B16B1C386A6B165CC76F84023FF9B9CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:23.163{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=395DFAB604BA92B225AA84FD554C4ACE,SHA256=E7554FF7B0304F9881B9C25C7E82D7047205E5F75B931D2D1BD99601F1AFA309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:24.823{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC1253E34AC9ED29E1FC4CF71EC3443,SHA256=0E7CE4D1575A79304042C54B1A4B2C6D1EB22661BC298151A93D48EF4772B93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:24.319{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38BBEC17F3EDAE55201B98DDA074C97,SHA256=DCD98489E24F9766E456A3DB6E34C55D2496AF71BA71A01B64A355B79540432E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:21.653{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53031-false10.0.1.12-8000- 10341000x8000000000000000155155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:24.140{6820D070-2007-6323-FD13-000000007402}20287664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:25.913{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A931EED045DFEBAB1E36367FFC411AC0,SHA256=FAA88FCB1C310FF06B61077D60DA2EBAB4047201841D776D20C5B65076D11BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.567{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.566{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000155179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.334{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6894AC5B6DD832FF98415E8E7D10046,SHA256=851FA006A187AD393825DC641BF1C9CE83A51B7E3A39267DCB8F2385ED18419D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.211{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.205{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.193{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.190{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.184{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.180{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.178{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.175{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.169{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.142{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.128{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.123{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.117{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.109{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.101{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.092{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.086{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.076{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.069{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.032{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:25.029{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000126005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:26.988{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572FD4AE16711BE3D289A52911DB3695,SHA256=387505558952FF9A06A087CF91C67E1A4B9890657CC83D5229601ECEDBD9A853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:26.346{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEAF8A1831B6937771838FF79F1DD1B1,SHA256=A9F56BFC2337509582CF5412978DABFC31DD9DCC88C8C5B7FA783B83B68AB2CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:23.984{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:26.287{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=D68686FC76F929C26866440C5377C2C3,SHA256=73BA68C26AE2972D2CB0935CFE2EAF44914E28E7458C94CD1763944E9731850D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:27.580{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:27.579{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:27.573{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:27.571{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000155183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:27.355{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1909A3C0C9E1FA39B31149BD1954ED,SHA256=56EBE57A1693194015B8DFD854E57C986C3EC52B9B01EB7DD7858DD54417FE17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:28.271{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:28.271{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:28.216{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:28.216{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:28.047{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CCCAAA29CE364079539CF5CBF57A7C,SHA256=F2528D61A6E9D311FB8CF4CB0A9DCEA987FC1603E5AFA4F84D0A1A25DA955DBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.685{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.684{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.683{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.682{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.682{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.507{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D848B7FE17E610320D7CDF73DA21706,SHA256=16FFCBB59579B3FE1FAFA19D4DCFC6D9522CA3C966219FBF6600A084D43CAC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.468{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.466{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=17AEF2A51B58E95C01EC16B7C8BAADB6,SHA256=F124E41D23738001907B7D1FEFE4799D35C729C3F26E9377F87FD4173BB6C0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.279{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.278{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.276{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.274{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.272{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.270{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.266{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.254{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.242{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.240{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.238{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.229{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.225{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.224{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.222{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.220{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.217{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.216{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.216{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.213{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.211{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.204{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.202{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.185{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.184{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.167{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.159{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.129{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.116{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.107{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.103{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.101{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.098{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.096{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.092{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.091{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.087{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.086{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 10341000x8000000000000000155188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:28.084{6820D070-DD11-6322-8606-000000007402}52806324C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000191FE190) 23542300x8000000000000000155275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:29.529{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCBA8E239FD8F34AFA8B169CFE8140C,SHA256=56C7ECEDD186A55D6AA311D72D39DBE4163B8B1DB27B9B10889B4FFA6E43E868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:29.117{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B43C0271E1534AE0D8A449F7D276E6,SHA256=BD899D02AECFEBC362304ED910B1CDC1DAA0542BA2DC5FB397F23CCA56AC944E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:30.623{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6F88AD3ED9DC7E546A4D088E6D2737,SHA256=3DC42996868C4170347F722C96CD292F7BF54180B424E1965AEC13EE14090BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:30.169{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FA52B8B7873FDC0AE2045533185C4B,SHA256=5E5A8D29472DF999C0F753443B31E4B451B8117729019BD2AFE25EB85AB96FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:27.589{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53032-false10.0.1.12-8000- 23542300x8000000000000000155279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:31.637{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F244DBD2489B6C2F0F9F611929B294F,SHA256=59C552FA91C7EB29C43D2A83CAEB772AFF809CA8822CC503B507BBCE46AEB0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:31.219{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2448EB8C206530E1914DDDB0F37753,SHA256=D070819039B51507D2C67EA915A4102432BE5F5B7FEE1E1DB6C30853755ADDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:31.129{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FAC0D0F058E93F56A3185FF23B1158F2,SHA256=8A06F5170A83D9DE45ED0FFD48C291FD0AB38FBFB747C7096D736C8A002D15D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:32.652{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402FA3A3922A1970B394A93C41C429DB,SHA256=851D760491298377678B01CF87D9A2E45D2314474C255DBA663C900A30245A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:32.294{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807E0647F75BBBC6D42A01B7583A53B7,SHA256=88224EBE5016EF6013C7DDDECB90F141EBC4C677CBE8519B4D15A0BCB1C02B28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:29.038{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000155281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:33.667{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F67E41A502E3987A22261E32C2AF44,SHA256=C82AB27ACF1E8A769B6BFE0CC1FF8B12CE1660BFF1072500982373967B10ED1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:33.808{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:33.378{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=9F966764695515F257439F3830E77608,SHA256=81CFC0D660A638F49FDFA72928ED9FD45C3C03EA444C49FCFE74F2379940FA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:33.374{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12934826F9EBA771B93AD8281DE20E3A,SHA256=1AA060ED95510D015CA83807CAD9E44DA9398AF90B1ABEDC0CF30B3055E190AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:33.373{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-310MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:34.672{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50451419964F40F9DF93F9C8DB360BF1,SHA256=566507E3B08DE77D8A9CDA798C338D1EF67591ADB12A94FE2C85871DBFD32466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:34.427{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE57BCEA921D540C3652C0C5F0289AE,SHA256=809026874B016001B47F9926ED7A5FF84D11CEF5378F5400F7F929194FFBDF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:34.372{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-311MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:35.541{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE58858FCA16DE4B030A170C20B04B8,SHA256=5688EBDC147047BD733650D355DB7F430CF9AE34BFC376F001CD2B4EA2E4DE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:35.687{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E3EA9BB68B9B7CF66B16482814737A,SHA256=9CC8CE57E7480C81DC869EFFAE593DBA1D69161BBCFDF068785F3CDD2212746B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:32.725{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53033-false10.0.1.12-8000- 10341000x8000000000000000155283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:35.098{6820D070-D2F0-6322-1400-000000007402}10882144C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:36.629{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B7630CF5A27D09DB186DFCA4568DD2,SHA256=A39B3CF36CEFC81F99D1ED6A4534B08E7E271CC80AA9B8A07DD1ECD85ABAA614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:36.794{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1B2599E9231A3292F1FDBBBD945369,SHA256=B0965E7169FD6CAFB816351D7BB6AC39ECD9C5A05650DB7EC3DD24DD76D4F054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:36.516{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0988BB0CEF89B2C8FCB36D78B9538C02,SHA256=E450D124F265631FDB85A3669538629346CC089E6A2FC2AF4F71CC75A15909C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:36.086{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(0000000000D1D11C)|UNKNOWN(00000000162287D2)|UNKNOWN(0000000016228713)|UNKNOWN(00000000162286C7)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 23542300x8000000000000000155289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:37.804{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D406CD78A6E4C3385BA9A8C864D84AD,SHA256=AD4F67A7FC5458E4121F583B48186BA47C59220D5DEAED0F924C7E6BED596F83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.996{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.995{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.993{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.988{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.985{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.982{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.974{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.970{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000126038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:35.029{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000126037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.955{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.947{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.905{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.897{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.890{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.884{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.869{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.864{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.858{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.851{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.844{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.835{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.832{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000126024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:37.730{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE4151B3ED6268769278D0A56F1D77F,SHA256=534C986F1F6CE2FC4DB404D6CBAE4D5C6AE496B7520F2BE1611BAAD6105E1806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.780{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BF8F8B3D26428662BD14DC4B3A6439,SHA256=A84330AED187D956F5DA19D94F77DC717A0B350551A06D5B1C3698BEBB9AD946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.747{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A5B4278D4499A8AC0B7C1BF8707AE7B0,SHA256=36E41D00EBD98B61453FC4AC0989DAE08F4F73A87E1167C394D9157C5210EC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:38.814{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CC49833930986603947EBA20D8B10C,SHA256=BAAC186B157ADA1640DAA8C06A9D9599E1BCB8B3C43BF28DD6834DA86F6E55B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.480{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC91071F47C8B300892EAEBA3114A23,SHA256=E506FCDF561D41E655F43091BF0CAC64FC181CF0C6DB1A9116EFD559D3BCC008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.404{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=5264D5DBD83AA4DC6D31999FB8C23B67,SHA256=0018B7E942CF944875C6DE2B7066811965E28C10D94A8DD3D2A571292B8790FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.195{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000155291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:38.523{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:38.523{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.191{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.189{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.183{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.177{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.159{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.157{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.155{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.152{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.141{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.138{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.131{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.129{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.110{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.094{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.083{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.049{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.041{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.032{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.022{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.021{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.019{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.016{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.012{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.004{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:38.003{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000126090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:39.784{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157F67B28DAA7578A39347DB9E125EB9,SHA256=ABBC63EA18636901EB14D2DF7502C5F14FB1BEE55545F9651DD228A859112CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:39.825{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB50D81F4C0DE53E9792AAE1648E4071,SHA256=D3B0F2E365C64A70F6145F76F5B0088BE2913F9B46D239961A81CF032E6BE7BD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000126089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000126088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x012424c1) 13241300x8000000000000000126087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8f9-0xa7649e28) 13241300x8000000000000000126086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c902-0x09290628) 13241300x8000000000000000126085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c90a-0x6aed6e28) 13241300x8000000000000000126084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000126083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x012424c1) 13241300x8000000000000000126082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8f9-0xa7649e28) 13241300x8000000000000000126081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c902-0x09290628) 13241300x8000000000000000126080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:52:39.232{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c90a-0x6aed6e28) 23542300x8000000000000000126091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:40.866{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987C6C2031B7132DB8C0AB99B4B58D84,SHA256=BEF1674F6E8551239F0842D8270169E1B5BA428EABD82CE7FEE803EF06D10AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:40.833{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F63BF03A9B1CFB6CD58581C13F1E61,SHA256=31D98F51EF295E840392557C50805B90E4E977FC58A432F4C375F9B2CD72E0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:41.844{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87128514D2D9DBF4B42A242D35E9184,SHA256=9D0F4AF6B77F9A658B1C3BDFFAAD24679EDC3D8D42CDAA70E36D42CAAD694C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:41.950{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07CDF7A1B986B270D0C612B3CAF1338,SHA256=0F379A65EA6DF1F92573CFB1F1E247A9727E4E3A4D01CA19EA9ABC28FC6B6FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:41.349{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:41.349{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000155295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:38.568{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53034-false10.0.1.12-8000- 23542300x8000000000000000155299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:42.954{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50B3CC8A9A1A594484523464C3FAAE8,SHA256=0E43DEF4C927BC1F30EB424DD0BFD075973C34784490DBF944F06626445F659C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:42.985{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898C8A0339A9181E3A4CC27E5C89572C,SHA256=7825BC28C18AF33A2E68637D3F78B82B54AAE6C3E465F39E975A856D22265BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:43.961{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C86E0D8AD6F4DEFC1B5917BB02D250,SHA256=1973B4BC50DBE87F6CDF038CDB7D45B895D2B68C4BCEF4BDE1D8C52847333E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:44.973{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31F3485AAA22805052F3C0C05A7D33A,SHA256=8F48186017AE0A4B57C5508599FA43B9C3B8EC297F71146BC1DE4D7C4EF79B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:40.153{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:44.017{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455703C389E08CCA4BD2D65E4ADD1280,SHA256=62FA61E4743D98909456208EED1A2A4C5809E9DFA552196974596A286F7A71C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.990{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B05552D6061660264A0BFF79D13913,SHA256=F1DA3D2846342A265A7B4B9F63DE8C5AD274BCA9403F26FF2819A88B034DAE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:45.060{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DD872BB6CD48A3E15E5DABCE61EEC2,SHA256=95E430CBE404907C854F86D7BB937F8E87C285CCFD0069BBD331F53C90ECF251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.708{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.707{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000155323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.356{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=20F5B48D3559BDD507BD94A466ACD0CF,SHA256=BB0BD68A727E599DD6954B503DD00A88011533406E9497003CA289D8C23C6FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.287{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.281{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.268{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.264{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.256{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.252{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.249{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.245{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.238{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.205{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.189{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.185{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.177{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.165{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.156{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.143{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.135{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.122{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.109{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.053{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:45.045{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000155327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:46.993{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9ED5B439F55187C0B782B9C4136A00,SHA256=173B82F7424A12E7A3F127E127ACCD8905688C793200199FA5FB24AEDAA6305B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:46.122{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F3FEC7CE0E5B795924545A7BF5E1DC,SHA256=FFA881BC3221696E7122EFF44395DAE03BE08DFF9B62F813D67857E1CD404330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:47.875{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:47.875{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:47.182{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53CDD02361265653A191E3DCA8A003F,SHA256=4F40B7781E37EED113EA9B66FD50EC7CC036E49DA9ED957756338225B2B2E504,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:47.719{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:47.717{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:47.713{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:47.711{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:47.685{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000155328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:44.547{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53035-false10.0.1.12-8000- 10341000x8000000000000000155373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.498{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.497{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.496{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.494{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.491{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.487{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.482{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.462{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.448{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.446{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.444{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.422{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.417{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.416{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.413{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.411{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.408{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.407{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.406{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.403{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.399{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.385{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.383{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.355{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.354{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.331{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.321{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.267{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.259{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.249{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.244{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.242{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.240{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.236{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.233{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.232{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.228{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.227{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.225{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000155334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:48.005{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E86CA736B49A2F99CBD0AA4283D297,SHA256=49514C8E77653402DC96E8CB28E836E906C139A355866580B3CC8F283B9BF88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2020-6323-C90B-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-2020-6323-C90B-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.349{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2020-6323-C90B-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.350{E743DC12-2020-6323-C90B-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000126102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:45.218{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:48.280{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE05B8957F13FAEB95886C576D1D23D2,SHA256=7125EAE4905C54EEA075605ACB4077E126F4E74C32BD8BD8900BDA709949597C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:49.527{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737867EAFB0C2C5611418A3D678C59B6,SHA256=EBCF71DFCC1A2777236C132BB14F6E67970D682E84B73322A520A7E606E46816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.735{E743DC12-2021-6323-CB0B-000000007502}37804184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2021-6323-CB0B-000000007502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-2021-6323-CB0B-000000007502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.524{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2021-6323-CB0B-000000007502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.525{E743DC12-2021-6323-CB0B-000000007502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.500{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95BCFACFA23A3AE21D44804C3F5F5F97,SHA256=8E4E98BF23BBABE28FEB93694299919670B911E2CE85988D38A2DCA33A1832E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.466{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C64C2819FF8CC8CD3D6B0FC5BF526A,SHA256=AA01AACC400A1FE1DFF8A3F0DBDB9B046DDA9BF6C0690FA98F7A6AE6AF2B87C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.269{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A548EDA16E7AFBF78938226605F31CC4,SHA256=CEA750B53E7D745CD647BDEE3770DF7EB0CD2E895051BECF98A17E055238428A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.243{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.243{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.243{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.243{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.243{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.243{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.028{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.024{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.024{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.024{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.024{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.024{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.024{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:49.025{E743DC12-2021-6323-CA0B-000000007502}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000126153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2022-6323-CD0B-000000007502}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-2022-6323-CD0B-000000007502}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.869{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2022-6323-CD0B-000000007502}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.870{E743DC12-2022-6323-CD0B-000000007502}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.607{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C0989519A99720F05FC35B622EC92D,SHA256=78143657EC664B4D2B9CB299BB4FDE83B6BB1797A131C73930A28FA5FB3832A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:50.546{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF039FA10D243E922C2480E8B593199,SHA256=E1641D42A5618497A6088C76383D83329748C2987B270EA53F80ADEFCB3AD754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.204{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2022-6323-CC0B-000000007502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.202{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.202{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.202{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.202{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.202{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-2022-6323-CC0B-000000007502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.201{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2022-6323-CC0B-000000007502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.200{E743DC12-2022-6323-CC0B-000000007502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.727{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05695996D43000558B2CA52BB67FA4F8,SHA256=4022E817A67EB2192BADAD6136B645C011B3ACA34A6437F923C952AC47611D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.712{E743DC12-2023-6323-CE0B-000000007502}53565844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:51.557{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7A9840B769FDDC723E388AD3B41279,SHA256=D229929E71A52DECF95BBB86FFC261910B2D372AD6F8F03EBFE952A4A180DD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2023-6323-CE0B-000000007502}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-2023-6323-CE0B-000000007502}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.554{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2023-6323-CE0B-000000007502}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.555{E743DC12-2023-6323-CE0B-000000007502}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000126155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.038{E743DC12-2022-6323-CD0B-000000007502}4820976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:51.027{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1DC6102FF0DB0AACA89D6CD02084DB5B,SHA256=6ADF48C01F22873773FFC41D9E522245B2115650954968CF63D4C855D3E114F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.771{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D04AF328BBB5D98E875ECE1DE56BFF,SHA256=2A1BB49A16AF3FB2846C09063545B38D9530405A55D829C828A5C038B9912250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:52.660{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\aborted-session-pingMD5=0419AAB8BB0B00EF4F6A7028A847D022,SHA256=2300C4DDEF9745ABA07A1D4365C64DE9E8CAF7B33F5B0F1C6D9B20F87F9C3FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:52.568{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684770B2180D6EB0E2AE871A42317307,SHA256=AFBBA5EF26FE34E71898197F32B410A83911D1FDB12D77A90D9C457FD19C5C3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.440{E743DC12-2024-6323-CF0B-000000007502}3548208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.361{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.361{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.360{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.359{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.359{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.359{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.228{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:52.229{E743DC12-2024-6323-CF0B-000000007502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000155377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:50.518{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53036-false10.0.1.12-8000- 23542300x8000000000000000126184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:53.830{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A89F0EA0E5B68F709D1B298D4E48B3A,SHA256=CF8E3A718243BBDEC3F3C6A0053D2B0429E720DF81A449A2106D290046814268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:53.578{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EDE48480A439912F0645478342FD24,SHA256=9832B63366033E26292CCA5CFD85072D9E2098BE474319DAB27AC438263B3426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:53.630{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=2D88C89C559EB0FAC9B7CA88F3546FBE,SHA256=149151524BA24E6574C5F7B28FBBF7EE39CC130B881701D343C6B713C6581384,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:50.973{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000155380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:53.390{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C51B0BC83A423ED50E557F00A038DCA,SHA256=84502430E663120ACECAE705F16698E8A256A0483B791E0E04DE78125B5EA675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:54.889{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD7ED33F20AD298F343C5B641D6C5CC,SHA256=F21DBA0F537FB4AA7FBA4DDBF334700832E68E999891096B64F57AA1C75C421C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:54.685{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2F5C56B3FB5421A4BFD918CBC176EE,SHA256=F71A938F3337E685329E3C3784FFB0A67282A608B8132C6266C86BAACAAE3C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:54.669{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-320MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:55.934{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9002FC3417E5C4AE8AED7890A99A1AC,SHA256=457F4BBAEF676742B2579193042DCF5240EED36C44CAD7B1500D8738ACBBB543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:55.690{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CD8FE83DE94C9D174C6EC381032086,SHA256=A438394D39C13D46FED983D9648694A6CCD2937845C891FE214C79F2C4BB5E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:55.668{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-321MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:56.700{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7ADB1123F5594CB3A20DBFF56E6E230,SHA256=E918EF8E894E5F540B478FFDAA6D883C4F9433122D6FDB6784EAA31031183DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:57.712{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B407C702ACA4AC7CF6F32445AC79A63A,SHA256=3D6FBE760D897ED5BFAE1BD733FD79971ABBEB15259EB061C8861B0C9C185D68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.999{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.958{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.947{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.931{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.913{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.901{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.893{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.883{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.868{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.858{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.846{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.840{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000126187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:57.010{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA18D59D2BB8BD27675FB81D77532B60,SHA256=CD63C9347B4B5343F570F06DCE73A7FECBB425557E42F97648FCF875BFD5592F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:55.619{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53037-false10.0.1.12-8000- 23542300x8000000000000000155389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:58.823{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259DA192CAFB0AD4385228FEAD406F57,SHA256=64D2CCF126CA0A8B47A6E16732848F574BBF95B4B0BCDDF52E174D1A9DB92AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.663{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=32E696871ABD2B2D71CB13513A2D1960,SHA256=5BB04B43482AF13D93382DCF497F8D5824C67237623310D58E8623D764869635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.208{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.206{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.203{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.201{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.199{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.186{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.185{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.185{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.179{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.173{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.170{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.167{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.161{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.159{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.142{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.120{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.099{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.093{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.084{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.078{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.077{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.073{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000126215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.071{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF9685E6310D41A027B957442968601,SHA256=E29B9B338739DEF274046390B2B527FF52F0D6B6112A66BA2C7FB37878C43F98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.070{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.069{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.065{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.063{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.062{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.060{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.059{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.057{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.054{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.051{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.048{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.045{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.038{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.034{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000155392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:59.907{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:59.907{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:52:59.834{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542D6C1F6F8C7C564C68B6C238F2BBE7,SHA256=16E498B4257310D1BC24F204266358F93BFCFB45078E57ED6E77580A09099B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:59.538{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17521FB34E03B99BB97ACA72235B02D9,SHA256=9AF992C012742E3ED2D8E9B6403421300C83C47E2B05C29C9EA8A8AB3D55E586,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:52:56.183{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000155395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:00.846{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC483FC35B7C78F27EE421149A565E6,SHA256=390D763E2DFD21D0A1BD757A200F3A771B4961ADDF191AF4157D47ACBF61B74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:00.380{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DED6322E347DE2E70BDD225939FEFB,SHA256=0D6CD6565110088708C12631031870A832CE59C301E911655101A83E553E7F6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:00.723{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:00.723{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:01.857{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871AE1A6367BF5BE9BD175E26047A617,SHA256=E50A254C02DFCD246465C04A503D0366F12D596120BE579AFC94CC381A7DF77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:01.439{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A06DF2A07A903715AA87C5C3BC9BBBA,SHA256=3967947D442B5F4CE79D7316E4C86FBC26E8DFBB18A3DB52DB67C4B9165F01F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:02.959{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:02.959{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:02.868{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D300E5F8719980781B92B7220863946,SHA256=11016FA04090D9F651A047B05AF6718311636DB1AEE3843E51A2C4F585E08BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:02.483{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88696D89733A30D0EC92BFDDFA9BBC18,SHA256=98BF0137B0A5C0D97E14AB805C62845F5CB4B8F7DD0F8145B986A38178272E32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:03.889{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:03.888{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:03.882{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C4BBF325AD507876349D7B66029F98,SHA256=550265A8BE09CA86AB881FAA7644596290CA0FD775F95193844DE30E12043870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:03.701{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=368266A06A465FD8B94AF19ED5869F33,SHA256=99D6853BA2742EDBF032CE94F65FEC49DE7C3DB1B3DA5EA46B07FACCABF16ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:03.570{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B178876544973C4C227647241D174756,SHA256=51758821B491AC5F961F46880C0292761DE6D65D77A6E701BD5114614247BEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:03.806{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4FEA7375272A746D44B1493234AEE9,SHA256=A32B1482A4211E2524877A2E511F6B2AC46E78C6392688A65A2E0381916FD9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:04.894{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7D769D93DCF65C5033A510535089CA,SHA256=0B4CC17EF8072F68C57B5DB210F81729161EA7AAF55159DB2912B22A6B86303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:04.602{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A32C18DDD98DC479DAB37D32545FAF,SHA256=EAEBB7B133BD1F26BE93F9CA0315D3F28D4A99F9D4FAE18B648A4812B0D7F3E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:04.345{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:04.345{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000155406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:02.301{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53039-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000155405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:02.301{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53039-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000155404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:01.584{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53038-false10.0.1.12-8000- 354300x8000000000000000126247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:02.039{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:05.703{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B569C6D1B6B056C3E80948FEAAB486,SHA256=E207917E48A629FB2A3BEB2DA2C9ABCF3ED12E660FB753F9CBDD6A8FE8E15A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.633{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.632{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.221{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.215{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.203{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.200{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.187{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.183{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.180{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.178{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.170{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.146{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.134{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.130{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.123{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.115{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.106{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.096{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.089{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.081{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.073{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.031{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:05.028{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000126250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:06.821{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6375BF7810D9AEE429F52B4CD9A2E5,SHA256=032EB03DC42B9A9B22E22CB7085DB7D66F3E7B13049C4A7F5EA63A8F03925302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:06.002{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD515BF19B23018B7C2A6C19D1B88F5F,SHA256=F5A3ABF1C629A3BF99F019E2CF35D4E6DA93364A04F0C58523E04357571D6709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:07.920{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25B2C550DBD9CE38BDF0E01542BB81E,SHA256=77966426963F9D8B9F8157CD71D091CC18137F1EEA48F571B0A5FD8E8D54175D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:07.649{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:07.646{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:07.640{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:07.638{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000155434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:07.012{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F714F58C670632E07805FB61F96206BA,SHA256=4CED8690A3191B747A8B1E5BBC87C42E86904D91AA0BE8BF4097182CB4AE4378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.364{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.362{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.361{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.357{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.355{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.352{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.349{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.334{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.321{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.318{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.316{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.304{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.300{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.299{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.296{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.293{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.290{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.289{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.289{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.286{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.284{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.273{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.271{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.253{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.251{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.235{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.227{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.194{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.187{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.176{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.171{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.169{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.166{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.163{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.161{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.160{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.156{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.155{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000155440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.153{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000155439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:08.023{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB0C6464A4C903D13CBF0AAB042830E,SHA256=A79BA36AD44E8C56DB75A1F5957E817C04478ECECA815460DF5D383E7119BEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:09.394{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E912A9D34A0EED290672621570A769,SHA256=BACF54E392001A4BD162AF1FEEFD467F38530EB05EE047CBDBD7591146D5948D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:06.751{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53040-false10.0.1.12-8000- 23542300x8000000000000000126252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:09.071{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1F86646C896198DA7001C26592FFF5,SHA256=2BD4D304AC4A74743494B26C6A26C846BAC36520161A54525F91547A1249D0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:10.357{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AAB00777C727CE67B17FAD26AF77C8,SHA256=545F3AEBF2DAA1643BD07A2B9E5E4834A465F73A802F2321186EF323E6192C51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:07.216{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:10.087{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2176C28FC0CF0DF51931B65E65AF4CA4,SHA256=43F6533284012B8025F0B12977774850991B043B6CE294CC5BECB4D04C7AD99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:11.202{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6DB8A6B7CE50A9638140BC22DC75B5,SHA256=D6EFCC1590C3E234B9F2966102E57D53584F88C6270895D497F6B3519C8E4BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:11.366{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964C5F4777AE2E05ADA455621310ACD9,SHA256=A37174EE17F60E2986427C5EC5BA2562FF97AD0FB301897FAD301FBC666D368D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:11.040{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=B0FFC78E24BDAAE48DD0635F99CD3C13,SHA256=E0A9316E992E767C9FCB1A43B74BB62F8EBE141BF330BE41C607C37EEF3D881F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:12.376{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9841428861237275ED9E904C56DEE758,SHA256=2F118BC76325FFA5E38137F0B6AB98BFE6CF7EE2212A867254ABE124F03B5E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:12.326{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDF1DE9DF10A8C1AF3EFDD5D0EF9C19,SHA256=93B6CA8EE9557324313056851558FFA56A95C09BA7A201E90AAE5FBD8B7D0BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:13.478{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DE2363DF5952E1CBA4DA60EE6F1E81,SHA256=3AE46031E67D8F2EB34BA1CD8B60BC0112BCAA63718D4D836321EFB73C94A5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:13.483{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30F3A482E206EE22388478C384259BB,SHA256=6A7B274F72F5A8DB2600292445978BA8DCD76ABAA082CA5DDF25463BAC0E4E5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:14.852{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:14.852{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:14.493{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1987ACAA9EF15CD76C23D96C0392A08D,SHA256=AFA26D0DE0A6A21C4C6489296201DAEC8793E36C16ECD1575B1B344A7F07A4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:14.488{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B12BC185C550F8AFA3A8FBEC2ACB52,SHA256=C3205AD302578D79A0EE867A0CD68A995C7D8B892FE282FDB1DFBA12E4ACC829,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:12.594{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53041-false10.0.1.12-8000- 354300x8000000000000000126262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:13.133{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:15.609{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956260C4165D1E1718B1C5F67FB3C0A1,SHA256=1EBC880F22C75C37D30184BF6B556C806A25B54976D0E57838D52395651328C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:15.831{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:15.496{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF98EAD771783C41950DA5D2CDFD3FF,SHA256=DE0F9C93ACA91B0BA00A7054689FA9C131A98FB4CA6E8DD54194C6A20850ECC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:16.735{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F669408EDA026887B3ED503B5604A80,SHA256=F7E1573F663E7F12073756E041443EBD30C2D68197E2C42C895175335F5BA320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:16.504{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98F547E792B2EE5F2DA870CA13BB2F6,SHA256=DE9624B0BA4A22FB7EFF476D505ABF2C8850F108C6A6FD17D9D92651C4EF4709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:17.513{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102591E51B17CA1AF5B9E3226D8A5EF2,SHA256=5CA908F50DB5BA43BBBB4B48AC34910D75BFAF302B51B7C9C19008D78DEE5FA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.998{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.996{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.992{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.989{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.986{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.977{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.975{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.965{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.958{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.935{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.929{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.922{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.912{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.902{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.891{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.884{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.876{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.867{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.859{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.857{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000126264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:17.753{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8DC4087D4AD23623260E0948801473,SHA256=00F5B401B57805B6B5DA7590561B42753D29C6B518FA4BC0D6067E08125D1376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.837{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C5F48674436C16C69278E71D8D7B59,SHA256=D4EA54AF53410EE4A141BF0A32283498ED9B94B7D720E996677356CE326EF7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:18.524{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52163C7D576DDB978E7AE55D0E328C79,SHA256=C6CCB60F5336DD44D440BDD44D4950F6A7AAB95EC72716ADAA76E70E8DD397EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.172{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073651F5A54CFE76019B09E5F4E7BE95,SHA256=2595527DC453B3377BCFDBFFEEB33AED0DFA182213B3D7332C979A7809895E75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.142{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 354300x8000000000000000155492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:15.325{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53042-false10.0.1.12-8089- 10341000x8000000000000000126313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.139{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.138{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.135{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.134{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.122{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.121{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.121{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.118{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.116{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.113{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.110{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.103{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.101{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.085{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.071{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.060{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.038{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.032{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.023{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.018{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.016{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.014{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.012{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.011{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.007{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.004{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.003{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.001{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.000{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000126318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:19.864{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9044C5C6BB8816678559C55D856F369B,SHA256=8B6185F87297D19DE2D7761AD31211FFA5413B06E089FEA56AC0F75F3460D26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:19.535{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035D21367EB90C171732349CF1410577,SHA256=DACBE3D1A1A18198C186D4EC6628204056C7AF6243C46104A266631F4EE25166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:19.130{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:20.995{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D15DEE8C204F7413AAA82F7F6CFF07,SHA256=60F40EDB93FF1812153F95B219C52B9726A370AB7D03A5125CEF4FC5296F66AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.911{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2040-6323-FF13-000000007402}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.908{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.908{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.908{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.907{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.907{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-2040-6323-FF13-000000007402}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.907{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2040-6323-FF13-000000007402}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.906{6820D070-2040-6323-FF13-000000007402}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.679{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5385438FDFD65CE0C7F0C2171B93E641,SHA256=DB5F71514A98B7CF2905E66DF4FF9F977502EBB0F0B04932B8143BAEC6427FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.547{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6632FBB2CFF4DAD2F7988202AF7E11BF,SHA256=9C500971325AD5CEB8E422D25DC52C1389245EC3402104271B81217C57436484,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.150{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000126320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:18.082{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000126319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:20.227{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000155503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:17.694{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53043-false10.0.1.12-8000- 10341000x8000000000000000155502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.241{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2040-6323-FE13-000000007402}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.239{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.239{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.239{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.239{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.239{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2040-6323-FE13-000000007402}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.239{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2040-6323-FE13-000000007402}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:20.233{6820D070-2040-6323-FE13-000000007402}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000155525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.741{6820D070-2041-6323-0014-000000007402}47804116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.576{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2041-6323-0014-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.574{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.574{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.573{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.573{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.573{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-2041-6323-0014-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.573{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2041-6323-0014-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.572{6820D070-2041-6323-0014-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.559{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0326770263A7E85C3D848DBC6DFA00,SHA256=C58FBF9DF74B43A2B111024BE56F2EFC9FF1EA3D040A69CEA5FEC1A344C930BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:21.130{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DD9ED5B59A5E3A8FA5B9637E371E7C8A,SHA256=F97FEFB5414C3F8A4D66BCD55629FCAB551D5FA6F1117565EA81184D0697115B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.249{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059855D05CFFC4D28119133C4F3423E3,SHA256=9E7D9C0236D5E4ABA2E188F0A3AA7C51ED527803AC8045F5AB74EDFDED6D7967,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:21.112{6820D070-2040-6323-FF13-000000007402}30487380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.922{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2042-6323-0214-000000007402}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.920{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.920{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.919{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.919{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.919{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2042-6323-0214-000000007402}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.919{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2042-6323-0214-000000007402}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.918{6820D070-2042-6323-0214-000000007402}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.575{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888DDB73988CA47E004536EF17E15AE4,SHA256=7877EAC6EC53CF70B469CC85E7286274768201F947F886EA17014BCFBC837DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:22.053{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F60475A07475C9DC73FB860CCBA7B8,SHA256=1EFEAEFCE55B6E2E2B45793FB6F05B681DECC5F76683448D9487E02D57C95BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.246{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2042-6323-0114-000000007402}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.244{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.244{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.243{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.242{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.242{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-2042-6323-0114-000000007402}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.242{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2042-6323-0114-000000007402}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:22.241{6820D070-2042-6323-0114-000000007402}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000155553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.759{6820D070-2043-6323-0314-000000007402}1852520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.590{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2043-6323-0314-000000007402}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.588{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.588{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.588{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.588{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.588{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2043-6323-0314-000000007402}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.587{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2043-6323-0314-000000007402}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.586{6820D070-2043-6323-0314-000000007402}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.585{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A94B3A30EEBB99B0C5F60397AD33E6,SHA256=6BD74DDF927B3ADC132B6ABBBA1C561AA1AE4681D73CC5E164F2D8E2E85B9748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.581{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6DFC3792F646D02C0C4465CF607E091,SHA256=6DC38E2E155B8CBC6F34800588D09634D7F218FB1F5C3F19F8B7CC93BAEF2362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:23.153{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD346948B9DDB56E0304E38D8EE265A,SHA256=9960B4F32D68D6144FC3559EC1DEDDC5F77EB958D18B85D06052F2868965DDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.897{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D13E873F91C65ACD789C2C5CA67A520,SHA256=0F2A3B64847FEC20CB7CCC8687A9AAC4C90BA161F40A23EC2309AD9A9EA2CAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:24.294{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B6D23D76BE2DFA08F290CB0BFFAA3A,SHA256=CF6B2BA4A5B6E9F3309A4377D42F7F4C32430994A3314129C3A8FA3F460D18AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.433{6820D070-2044-6323-0414-000000007402}28087884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.265{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2044-6323-0414-000000007402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.263{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.263{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.262{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.262{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.262{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-2044-6323-0414-000000007402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.262{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2044-6323-0414-000000007402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:24.260{6820D070-2044-6323-0414-000000007402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.914{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99E7A5083B6589313AE5CF876BE84A9,SHA256=8053A935B99974412117869032EB101A20572FC96F6E487DDEA06A1CA069165B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:25.427{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9C07CF46DE197EBC25723AF972DAFE,SHA256=2195DD38F303F1E9A91CB90213201939A51A3DCC3E2FE525F8814B877CE017DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.597{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.595{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000155585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:23.527{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53044-false10.0.1.12-8000- 10341000x8000000000000000155584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.240{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.234{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.224{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.221{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.215{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.213{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.211{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.209{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.204{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.182{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.170{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.165{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.159{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.152{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.144{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.134{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.128{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.112{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.093{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.033{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:25.031{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000155589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:26.922{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34666BD185775B072A238BABAD8C288,SHA256=BAB9BD3B55A76E9C4E9BDD6066ABE5DD388182570F336FC1EEFC7BAACE7FB6CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:24.134{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:26.552{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3E2B958C990D935108AB1345EFFC59,SHA256=3B9A68DB0DDEE137062FDD119CEC77B29C3C883E79D2FD34D1A7E76B79E4AB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:27.652{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF80841E43D53E5FDB1446769F68701B,SHA256=95FA85E7C874DDCF5CF231031E322DC5446B5597BB778EDCAE09E5EE0F94C6FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:27.610{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:27.609{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:27.603{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:27.600{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000126332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:28.778{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D9ED97F1498810FB6B46881EDB8323,SHA256=C09CB210FE40003AF93042E148ACBE499D24D1490B81E0EDAB8276ABC0BA5DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.377{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.374{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.373{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.370{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.358{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.354{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.349{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.329{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.316{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.313{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.311{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.292{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.286{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.284{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.279{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.275{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.268{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.266{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.264{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.263{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.261{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.252{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.250{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.231{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.229{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.208{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.192{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.158{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.150{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.139{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.134{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.132{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.129{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.126{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.123{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.121{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.118{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.117{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.114{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000155594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.037{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBA7250AA7F9C9C8B154CC22F14B644,SHA256=DCB6D4233476FF72C95AB6AFF9A967E800F33B39CD03E7175BAB6A1DB21BF6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:28.352{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=2CE91C69E6CA0C4DD82FC56CB84FF66D,SHA256=C6E71FA4D969399D18E0897F8FE18320C3889DD9F20E649B3FCB91FEEE60385D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:29.781{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A1471754C1558D587CA6E8BF46B98E,SHA256=4F0225C261993451088A63C96E48E96A065FC25CC422CE0B5A99E2CB2B96596E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:29.682{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000155648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000155647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000155646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000155645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\LeaseTerminatesTimeDWORD (0x63232e59) 13241300x8000000000000000155644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\T2DWORD (0x63232c97) 13241300x8000000000000000155643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\T1DWORD (0x63232751) 13241300x8000000000000000155642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\LeaseObtainedTimeDWORD (0x63232049) 13241300x8000000000000000155641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\LeaseDWORD (0x00000e10) 13241300x8000000000000000155640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\DhcpServer10.0.1.1 13241300x8000000000000000155639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000155638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\DhcpIPAddress10.0.1.14 13241300x8000000000000000155637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:29.632{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a639563-d25e-4dc5-b02b-d71d653c2e91}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000155636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:29.385{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810301CA2C08A9E49046662F8C76D6EA,SHA256=BEF38B58ED88CA1B35E6F584B630548D0F11B3C884B54258378D62A03AA93192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:29.019{6820D070-D2F0-6322-1500-000000007402}12527340C:\Windows\system32\svchost.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:29.019{6820D070-D2F0-6322-1500-000000007402}12527340C:\Windows\system32\svchost.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:30.795{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C9DC95609DF0A6FA9D631D46A5E6F3,SHA256=196429BD3944741A88119388F0AD722D322C8807786B5143E85C346D4E091F1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:30.638{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:30.638{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:30.471{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6A132E56BA47549E08CA8AC4E9CE0B,SHA256=B9A095FAEDEE6506C4A68918E232A293F8C2D42E642E28C86D8E227B6E1519AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:28.645{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53045-false10.0.1.12-8000- 23542300x8000000000000000126335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:31.894{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC508675515DEF7EA1142E41C4988BF3,SHA256=06A34E2906870E6757B810531E7C53E3D1E1C9DDA86C26E5165F5287E3D338E6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000155670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000155669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000155668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000155667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\FlagsDWORD (0x00000002) 13241300x8000000000000000155666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\TtlDWORD (0x000004b0) 13241300x8000000000000000155665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\SentPriUpdateToIpBinary Data 13241300x8000000000000000155664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\SentUpdateToIpBinary Data 13241300x8000000000000000155663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\DnsServersBinary Data 13241300x8000000000000000155662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\HostAddrsBinary Data 13241300x8000000000000000155661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\PrimaryDomainNameattackrange.local 13241300x8000000000000000155660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\AdapterDomainName(Empty) 13241300x8000000000000000155659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.651{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\Hostnamewin-dc-ctus-attack-range-403 10341000x8000000000000000155658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.642{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000155657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:53:31.638{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9A639563-D25E-4DC5-B02B-D71D653C2E91}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000155656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.483{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E19D11FFF5DB067FB96540C23FC1BF2,SHA256=A13D0B16F3C0D9C42D5AD287F5CBA0CE6459C9A3EF8375E0D56DCC2830A92282,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:29.140{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x8000000000000000155654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.131{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=773A20D8082260779806A60F387492D4,SHA256=2E67C3390FA6EDA712DD847C1CA9ECFBA89DB7724CB41253DEAF52D1BE0CF7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:32.928{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC49AB372D937749A5A5DE740C0E4E9A,SHA256=006E856BD3AAC7A3CB56EBBAE2D02C8C5308A5F02C3C406A3C0644EB885B6194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:32.750{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DEBE4616D8C6EC4A630AC0A767A1492,SHA256=702F89D60DF929FC3B8F07C3BCB4E3F5046F767AF4761D3505195731C979EE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:32.496{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98BF9D262CD278544D2A068ABF32A07,SHA256=9376C98AB9AD5689D2259B3F789BC51C7544F7E50A89B4D6D1A4723BB57A2FBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:32.400{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000126337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:32.400{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:32.400{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF124f475.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:33.519{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CDDB6651918AF484BD11B966B1663A,SHA256=A80F058DD29E0A9EA8094C03B1564E2059EDDA2073E85D894317A54B1355F645,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:30.049{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000155682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.160{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65084- 354300x8000000000000000155681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.160{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65084-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000155680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.160{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51587- 354300x8000000000000000155679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.155{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61677-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000155678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.155{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61677-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000155677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.153{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local51339- 354300x8000000000000000155676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.152{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61676-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000155675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.152{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61676-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000155674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.150{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64457- 354300x8000000000000000155673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.150{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64457-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domain 23542300x8000000000000000155688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:34.530{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9E96EFC8B895786C54EFB35D0D86E4,SHA256=FE45CB287916F57652CF33A865915DA5E3D07DB3C095F566B5533D378D609740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:34.897{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-311MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:34.055{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2BAF05FABB9310F7B8883CBF44E15C,SHA256=5CB2E2B25DFBDEC8EABE23A3BAC3E2807F6BBBD30FE366B4276915FBFDEB407B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.162{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local62290- 354300x8000000000000000155686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.162{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local57771-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000155685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.162{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:7805:3900:f880:ab2f:8c94:ffff-57771-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000155684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:31.161{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51303- 10341000x8000000000000000155693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:35.547{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:35.547{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:35.539{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F9DB2959021019B127EB1C38685EA9,SHA256=01B08ACA40EB216930F2DC2A1921BF542686988B27368A726C5BD9BDE3C066E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:35.896{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-312MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:35.179{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3376FAE2D2CFCD8C1FBA38804D946361,SHA256=E5EF820762053F48347D4BDA998535797AEEAD78FD4CBFBE40F4A1D58B835002,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:33.662{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local138netbios-dgm 354300x8000000000000000155689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:33.662{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000155697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:36.888{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:36.888{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:36.548{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78041E7E22B9B6AF27A8DAE9B686E22B,SHA256=8CDB6DD23A5DA42B6808408EC35899124E21E6F2415A63B052DD7801BF13B287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:36.879{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=1995CDFA606DC11F9D397F9E28AB8B69,SHA256=58B56804DF3ABCB2AF43F9D68EE9FC137231A5EB93FD0FFF13E5E3B78D9EF1D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:36.221{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F8A396E5930CEBA0240AABA304047D,SHA256=2878594C3B96089D4413EF26AEA32FB218D8A4A6077C2A9566EF9D1E442D9B80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:33.748{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61678-false10.0.1.12-8000- 23542300x8000000000000000155698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:37.659{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B410C99F43A20BC0474300299A6EEC,SHA256=895EDAFC607DB1A025407B5EB880CB480B4C1DCFDBA2093D9CC9F1CBD868E444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.999{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.995{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.992{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.983{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.975{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.959{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.948{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.918{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.912{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.905{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.895{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.884{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.875{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.868{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.860{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.847{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.839{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.836{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000126347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:37.336{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B93AF2580EDBDE71D59B23F2352E5D,SHA256=07C6655C23757C3BBAF4580955DB07CC8D3D3207F6E2CB791707AAC981B6D914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:38.669{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCF9039C48235AC5912842B70F8EA2B,SHA256=113E7B7B90A27049CAEF700E1C46C740FCF1FA10D5726D5886E6935A43B54468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.752{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F979863C5BB66E97847E2463753908B,SHA256=19A2507CB6B61C9E26C352DE08D640131BD9E2FB779BB01763C027A7335B2257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.494{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ED28682F3D6D7992A8E7570BBB1772,SHA256=34A12D7911B2141C71BD6580F8362D4EAF64D262CB38024E5DE50D3C720E6351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.494{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F96CB550DB93888A21F27F1FF33137,SHA256=EB148C012046177C36546A6D5A8C1751403C34464F8BC7291C77AF74A513FC96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.172{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.167{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.165{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.163{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.148{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.147{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.147{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.144{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.141{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.138{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.135{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.127{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.125{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.102{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.083{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.069{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 354300x8000000000000000126381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:35.050{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53738-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000126380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.044{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.037{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.028{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.024{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.022{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.020{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.016{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.011{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.008{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.007{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.005{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.003{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000126367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:38.001{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000155700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:39.678{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7C21E751FE4FE38F03A9E55B81BEF8,SHA256=776E6553E6B77E2288A7DD51D538DB0F27F41937C9F6D77EA279ADFD0949CC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:39.609{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E87ABECC552F93D37708DB44F3AC9CA,SHA256=4DE66E7091817EF9E64EB4A56E22299380DCB37DF3BF8F094D367E8E4C64AD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:40.690{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3ED0BC26C3B6CAF411A153771A3D58,SHA256=7D8FE7DD33C808A6070EE832FCC7AB431A7CA97FFA71DB078B4F13648ADA3EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:40.709{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C8D97AA747F4B4F1922866A415A171,SHA256=4B3582F19F45D9406577710B7534F41269600713D502FE17A59ECF204183C837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:41.696{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E3717D4D41D4A4DB52BFA24823D160,SHA256=2863DF7B5F2AAC0DC6A745A41DC6BCE38B40F1BDE346A5FFAA47760754F1C7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:41.827{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD6B6356FED8828055C2CA291B890E8,SHA256=41D2FA8A07B2D2564920B92661940486DEE0ECC7311134DCB7216AB722C3D739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:42.701{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ADD4ECDECE56DB84F32FB9A63AAA1E,SHA256=0AA05D4D51D5778D7DF4531AE715E33A159A6166170371C2B5E71851EA15E390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:42.978{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBCFDFCBF38CA1A55EEEFD5FEDBDEA9,SHA256=42B4FDEF858A8C6A9026E2A3087A37728A99D1D3D63E3FEAA271744CC7BE6569,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:39.655{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61679-false10.0.1.12-8000- 23542300x8000000000000000155705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:43.707{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905D56392460E25918058D6B71666B05,SHA256=55C0730B8B98AA469F3DE56F493A8577A856DA9C214EA8E090D459BB18724314,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:40.123{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000155706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:44.715{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EB0AAE5E26C395A6D1D66E10316C8C,SHA256=6789008B12211EA6D0FD92EBA1BAB173ACA6E018C1DD02BCFAE18096A39211AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:44.078{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428EAAC815845BBD9B48FFC1A312FBB5,SHA256=7A9BF526738CD2C0596978C73F014BA913B54BDD64939BEE8B6DCDB3D15B5B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.736{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2AAE527B4D5E61646A0C09E1FA397F,SHA256=08E1618C0EFFC2A7003E2BCB3BFDE10C0E414B3EC88B1EE3EF9A8E2F74D48CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.724{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.722{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000126408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:45.109{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F4AD004ED6F55497B1216271AAA823,SHA256=6ACB019977A7B5D651C3920E7D5F245CC527320EB1EAE06725F46C38DBE4D3CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.272{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.265{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.250{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.244{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.228{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.225{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.222{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.220{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.214{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.182{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.169{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.164{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.157{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.149{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.141{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.131{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.125{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.116{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.109{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.050{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:45.046{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000155732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:46.747{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93541F2E1C7B5C837051AF7813A83193,SHA256=016F931E840DEA5904A572F53CD4844BBD830AA0572895B76CEE910300CCD500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:46.227{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E7BE584182BE005950A4799EAFB67B,SHA256=8EDE91FB91F843936E13794A7D95385993F790B6113D6423C2DE1C54D4144280,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:44.740{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61680-false10.0.1.12-8000- 23542300x8000000000000000155739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.761{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B689DBEFB2D68CEDF64E5917C5954C,SHA256=EAA77E262A5B4578CF689DECB08E613ECC78C754E3C80253DA790CCB56C95BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:47.281{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E745CBB84503A499FF5AD6697B64A1,SHA256=1676F2EBAA4DA8D603FEC61148072CB2A0911D9E337B2E85B0F998D0A3CCDBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.734{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.733{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.728{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.726{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.684{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:47.442{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=ABA10FC4B147CA4147E27BDE920E8B93,SHA256=53BB81EA5CECD5584390F5EE1FCA282130D02A839E5F6333EB6846413DF4A641,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205C-6323-D10B-000000007502}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-205C-6323-D10B-000000007502}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.882{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205C-6323-D10B-000000007502}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.883{E743DC12-205C-6323-D10B-000000007502}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.785{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BB597C5CFD719801F28642A2CAC85ECE,SHA256=196A4AE51F73639823E8B2889F63A17C40291E192D04F6D5E00370829FDC1981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205C-6323-D00B-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-205C-6323-D00B-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.381{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205C-6323-D00B-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.382{E743DC12-205C-6323-D00B-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000126412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:45.124{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:48.296{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548BC069C8559DC5DAD51CC05A7CC4C5,SHA256=06279F774D277ACABD3EE8AA0B53CCC2852DFE1F27EA0DC8B02659B242DE5133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.456{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.454{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.453{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.451{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.448{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.445{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.443{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.427{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.415{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.413{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.411{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.400{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.395{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.394{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.391{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.389{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.386{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.385{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.384{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.381{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.378{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.369{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.367{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.347{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.346{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.328{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.320{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.283{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.274{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.264{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.259{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.257{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.254{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.250{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.247{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.246{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.241{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.241{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:48.238{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000155779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:49.265{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A74E7B9FD8CB5C6536A8B87E75CF243,SHA256=518E993C9B0ED98A5FB28F9F5E941E28E6ED193D23E7B2D657D6039E668B2502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205D-6323-D20B-000000007502}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-205D-6323-D20B-000000007502}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.459{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205D-6323-D20B-000000007502}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.463{E743DC12-205D-6323-D20B-000000007502}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.436{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3EEAA0415F2029A14FFBB758F965C51,SHA256=FA98DC35A5922AC44CC53971C8C6233BC56A803A3D5616D84A19FC29C58F6FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.401{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F528F280311934BE8B3BC70C1C1B6982,SHA256=7BB4EE9E847A8BE9EB7E60951682EB9467053284B00B1865BDA23B1BFE6DB582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:49.067{E743DC12-205C-6323-D10B-000000007502}46205408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:50.301{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C089AB7FD110D9F41EFA28A2203C37,SHA256=0D5075C5DB09723421994CB45C80EF498D295BCE36BEB4C50717F3EB644654BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.987{E743DC12-205E-6323-D40B-000000007502}4560840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205E-6323-D40B-000000007502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-205E-6323-D40B-000000007502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205E-6323-D40B-000000007502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.807{E743DC12-205E-6323-D40B-000000007502}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.462{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF0759C5A886726620FED5BBBC6323A,SHA256=01E34AF1D904E1D1DF92799FAF9CF73A61028342FC69489D074364AD2EDEF2FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.318{E743DC12-205E-6323-D30B-000000007502}6322840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.141{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205E-6323-D30B-000000007502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.139{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.139{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-205E-6323-D30B-000000007502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.138{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205E-6323-D30B-000000007502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.137{E743DC12-205E-6323-D30B-000000007502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000126478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205F-6323-D60B-000000007502}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-205F-6323-D60B-000000007502}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.987{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205F-6323-D60B-000000007502}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.988{E743DC12-205F-6323-D60B-000000007502}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000126470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.687{E743DC12-205F-6323-D50B-000000007502}9124740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.587{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3A46A182E9DC088E7E1B7C34CB4D5,SHA256=481456D44FD93EC322829417D5FBDF5C87E798287D29A6B11EDB7CD16C253CE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-205F-6323-D50B-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-205F-6323-D50B-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.487{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-205F-6323-D50B-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.488{E743DC12-205F-6323-D50B-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:51.306{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC9A5AD53231361C9BE247CA430DF71,SHA256=D2133DAB18E44565D9B287B182AC0ECE849ACD5D43AB249057A1513F24131546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:51.261{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C7120CFEA264F9CC223BFEF0B02D73A,SHA256=E66F2FA57755F6EB128C0A75F9D225780738B30D0DADF71BDBF934EC81EDF307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:52.602{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F654A7B8B7CAAF19E24AA8DAAEDC494,SHA256=5345B99806452E5110381469C42A0658164D6EC20B6425AFDD67FC60FDFB5EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:52.601{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000155785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:52.600{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:52.600{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF12e905c.TMPMD5=1C1390FB7031B53AF8B5015FEB516BB7,SHA256=7E9DB3FA9C07EFD7A9158EE7BC0183A5F15EBC556C75A7245F742DAFF3D723D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:50.596{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61681-false10.0.1.12-8000- 23542300x8000000000000000155782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:52.312{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DE5D97AC62BEEF6223D62570FE8AB2,SHA256=2682CB9F7333E43FD87B5CFDDA7611BE5F3ADFDBC5302C56ADE544DF74E028EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:53.660{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F83EEF9719A1CEA578505E58E0AD96C,SHA256=6D4C302766B249BC52AD909D07DB4E6A01E8DAAA8DD4554860C53D498F918309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:53.819{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DCB478F2664E358A22E27A288C3F2BDA,SHA256=3C43E8AC89F8233D2E09C813CC53148453867F57169D001E4276D11738A56738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:53.326{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A3D033C011A0864E72EE40B7D5FF9B,SHA256=7ED9C86F7D9E7D581FC106DB02932CC4DE32B9A07397D452E31575DEF6D6FE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:50.158{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:54.687{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E32EF8C4CE815CE8869A6353573161,SHA256=D2F860099C1B1329BED4FA16779919A139EBF5C8472DDD95E209F119BDAA7CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:54.435{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4D71FF0EF2A3A11D68CA93D406CCB9,SHA256=C2897024C3950CB3F126BEDCF6768139E039F3327520819937672695DF17A6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:55.820{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E496E1F3F781970F1B70A9D9563E003C,SHA256=F054E580F461DAB7AAB9EB55E74DFB41265915F4580B0B10C36D9E129EAEDF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:55.445{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D293F5B1BA22C125669A637B951B0C,SHA256=2AA0F8094EB1BACA844B87D1A1015E4E1160794E79B8C886BCE11D129881E57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:56.864{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F336147DB86EA6CAB4CD1DE29BDD3F,SHA256=672B9A0F70C41068CC9380C08C8D46F19A86FB5A937FA724525CF84F5F4EA8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:56.455{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91735D5903E5D19B24938EB4F3EE42F3,SHA256=F0B68967B3EEC9AEF2D3313A5A1756991B3889F309A4AF3455CE5A6773C06995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:56.735{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=2908B12DAEBDD8325A4136E4790131F2,SHA256=C07080324070045C568E615E898DEBA08F75332E4913B8020F6E553D23F89FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:56.176{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-321MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.994{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.992{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.990{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.988{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.987{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.982{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.979{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.978{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.976{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.974{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.973{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.971{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.968{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.965{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.961{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.955{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.953{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.941{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.933{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.906{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.900{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.892{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000126494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.890{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CC48B11CC4442214FEC27E325B793F,SHA256=37D625931A4B3697EC57DF36BB2374C6B070004EA2BE0C7C99FDC5730393DA9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.886{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.874{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.869{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000155795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:57.566{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDA3FED38CD316D90206C8D1AFDD728,SHA256=8D1410878A1C01916C1DB8530850FC7D2E25F6F012D3C009829BFA31558E4D31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:55.714{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61682-false10.0.1.12-8000- 10341000x8000000000000000126490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.861{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.852{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.845{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.837{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.835{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000155793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:57.175{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-322MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:58.476{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8498B838A980D9B3BC83E51B7E20860,SHA256=47682126787C60B13C2EECA30FE65B79C5A397F115170543D661F35E22DAFA5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.173{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.171{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.167{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.153{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.147{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.145{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.140{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.136{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.125{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.122{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.095{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.082{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.067{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.026{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.017{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000126517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:58.006{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000155797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:53:59.485{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C84EE40B48A32D7287C64281C1EAA29,SHA256=B2E454D5730F33860CECBB20A75914D051C67FA0D5C4CB66CD7C0386B246841F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:56.157{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:59.218{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7566664723ABD998E6B6323EFD7FA36E,SHA256=14DDBA0BAF11A30618915E3D009E61D541056476EF92C368E902498A3164A524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:00.494{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D43B7F171EE7F2ED9437CED4B17C0A,SHA256=C429E6A114D93852F5204F4D9DC01AA79B6999CD3547300D2CF7B6113893899F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:53:57.958{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:2ca4:2a5d:f5ff:fef0win-host-ctus-attack-range-102546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000126539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:00.261{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B678AE5C09C9BB1FF5BACDA671A92588,SHA256=31EF3E9A129443412B610E65FB4200154C1EB20913E2AFFC581E3B3921128DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.502{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BE4068CA029EE94BB2A890787D50D5,SHA256=3F252435A95C0700D1E7EA75ADB0345051E4B561CEE60285299A3769C471767D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:01.504{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5F8E83C209B378676E8E8F596F9C0F,SHA256=1CF8CA5C4B982E48B1CD42763456F390C4C48CD7035BE0B0C1130C6A5480987D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:01.261{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:02.536{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47D265912A6D520D74E9978B853AFE0,SHA256=2244ED1282205CA4B9DDEA451CD9E30C7434BEC3E818BAED86C7D952672B7E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:02.511{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9EFB1862A8010E97147BB485B1F9B5,SHA256=2A2C262B79BC9663C54AFC0B05FBECD15E83782B4CDD52394E362A4BC072325D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:03.671{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B0699884DC29AB68A1976E764FB031,SHA256=90A4E00319E66B02A17FB986C8D4259647D3331F88937C900B70192A49471802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.914{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35BFF644B9BB0FA4C4A052FA7D633C06,SHA256=48AE6FA32010D5F2273FBA9CD2B3E8C6F054ED0C9D62A4274BCF77DD62E07F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.528{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0FEA03E5FFC9979F9068CAA7B16CBB,SHA256=619707A1F2984BF5546005476820CBFFAAFDD63C0C8215C5DCC85953DC4416E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:01.540{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61683-false10.0.1.12-8000- 10341000x8000000000000000155822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.379{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.379{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.379{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.339{6820D070-D2F0-6322-1500-000000007402}12527676C:\Windows\system32\svchost.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+dc41|C:\Windows\system32\wbem\wbemcore.dll+2cfcf|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.323{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.308{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.306{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.303{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.303{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.303{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.279{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.279{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.278{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.278{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.277{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.277{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.276{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.273{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.273{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.249{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.249{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:03.244{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.542{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0EC4C38E705A9EE9A05B8C1411C5D4,SHA256=29CD35A7CD8AEA3E353B1983D6FACBE5C0A962305FCECC963B9D8B21DD2F710C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:04.718{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306A723117E70B6FB5CC3EB2FCFEA40E,SHA256=7CB1E9383F4B031F4821E8654A0111CBBA4FC2DBF0183685F2BF898A4266950B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.147{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6CAF868B010BB9E98ED93E01ECECC90B,SHA256=1B745D3513165FAB0A62EA168CE82B721B40A27013D4169A8171728F526D653B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.092{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.092{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.092{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.091{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.091{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:04.091{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000126577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:05.836{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9507BA0FEA6644D04875915E77A959,SHA256=B7CB62BD748A5E3086D850D138303180D6D1ADAC437E0583275CBD160E7F76B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.497{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.496{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000155860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:02.302{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61684-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000155859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:02.302{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61684-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000155858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.192{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.186{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.176{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.172{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.166{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.165{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.162{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.160{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.156{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.132{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.123{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.119{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.114{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.108{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.101{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.091{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.085{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.081{6820D070-D2F0-6322-1500-000000007402}12527564C:\Windows\system32\svchost.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.077{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.071{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.069{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.056{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.055{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.031{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:05.028{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000126576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:02.108{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53743-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:06.886{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D5D3BA5E8CD8C8A2D3F3B63B54CB3,SHA256=E4C3600844542305CABD09BD62B136418DC3738A62A30448B48A6186A506B61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:06.222{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD83DB8537D8E1E6DEE7BDF70AB9F494,SHA256=5F41888168473A084916C96CF65996840C5582382AF9F432331E8AF915271692,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:06.137{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:06.137{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:06.137{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000126579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:07.935{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C46DD86402C3C508F608513FBD7C34,SHA256=080FE0CD6EC124036C0CBC1395F20A40206EB5EE39C424ECCA4C092853FC9A7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.509{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.507{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.503{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.501{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.329{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.329{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:07.174{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABA19B88FDE04190F34E52E6A08516E,SHA256=CDDAB67BAB4EA32D6F2BE83BF7E4B277D4F0EFDD33BE6294073574F4AE2C141E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:06.550{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61685-false10.0.1.12-8000- 23542300x8000000000000000155914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.263{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3A0EC939E35F1A5DB5652F5A13B583,SHA256=F26D23BBE03C0EF4F9DB2FD2206F73B175EAF80F22FA82B164215B97B19D3D05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.223{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.215{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.215{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.213{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.211{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.209{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.207{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.198{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.188{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.175{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.173{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.171{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.162{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.157{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.156{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.153{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.149{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.146{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.145{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.144{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.141{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.138{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.131{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.129{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.110{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.109{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.094{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.086{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.054{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.046{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.036{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.031{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.029{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.027{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.024{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.022{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.021{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.014{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.013{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000155874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.011{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000126581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:07.206{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:09.034{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EF70DB427C07C43A33BADA1BF91AEF,SHA256=8D1FA64CF3601F31AD4564002F72001CF42AD36AF2805C8ADB70E322C8211E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:09.214{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45107A8F94116558CD44EAB8799A9475,SHA256=44079364C1E2853A648BE204409DCE544C705F24AE4689B5E5CBA73CA59BE94E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:09.177{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:10.136{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0396132DF0F16149D6A2D983B81A2E9,SHA256=4AD4B5623C1B8042654D52DD91CDEA5DDF71E15B9B05B3790DCD0029529D3A40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.689{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61686-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 23542300x8000000000000000155918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:10.221{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA6E6CAD25DC476C6EB1A4F8B406045,SHA256=8FC2A59982244114FBE151DF197C9917F5B91CCD7F6C15D605EC3EF22671613C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:11.231{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E523D841D33D98096432B14922B9741,SHA256=676F6DA68FF68DCB7B9558B732BAE7B28E7B954B385EB1F80C95C6DE42059589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:11.160{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603AAFE690DB60B3E1B5D99ECEA006D4,SHA256=8E58C347A16F9F25CFD6D6D569B6577DCFECA94EA550DB6E4B660777A2A28BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:12.187{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587613A4858C2C31EBCE13C854A421A9,SHA256=766F011122A2F0A40BC6168A20AC0711D7DA060D147A8E2D99B94417DFCD94D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:12.242{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865C227F2E7F8D1A1D3107F1A484E616,SHA256=BCFC277EEC611C6D256E1106468B133E2567A6A007E4B5ABE06198B51A79767D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:08.689{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61686-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 23542300x8000000000000000126585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:13.212{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1CEB113D826C6851D63DBE09AA7A5B,SHA256=80C060FB3BA09328D78F6164B35D6F4950D0DD8B4EC47F1A73FDB12468875DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:13.250{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F46C9AA7B9EB23DE1E12D332EEAF065,SHA256=E6C011D67DA91C9E3A1323D114214500F0668AC8949C12E9D15876D6092ECBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:14.339{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985AE7B290C277EA6D9B895B02CDBFDB,SHA256=5D2F8D70324F42BD646EBEC996B13CB635C39E751AF1961CD88F89C9D864FBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:14.257{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F29014F0AC55C730CB17946EA8D03D,SHA256=4AB58233BBF03CCEC99ED8CE3F5A3456081533F10B2E69F4D8E9EB49B4B4EEDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000155924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:11.667{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61687-false10.0.1.12-8000- 354300x8000000000000000126588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:13.144{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53745-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:15.391{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F692601FE4A18001EAA30B4FD72ED74D,SHA256=EBA97F2B04B8DF9B4E5AD2BC1281475CB69C7CA536EB84C90A5AAB18DF3BF970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:15.848{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:15.262{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA2575E664AB0A75CCE16A60DA480BB,SHA256=AEF39074D570AA5E27DFDB96795E26E0AACD94DE54D832968B911B1D6CEC4220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:16.442{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD36221A763BC43F326F8D1EC27EA30,SHA256=15B541C2098417268D75424A5BD47670AB2A867619764C9FB2F265AE4F887B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:16.593{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:16.592{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:16.268{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507EF9062DBFAA1230D035DB08E690E5,SHA256=F39A5488B46214C479EE68CFB6B9187F738B8C1E4E4C760640ED85B1AFA54491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000155934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:17.279{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE58AE964E3FDB591EF01D1907C4B7D7,SHA256=F4B7927D6D03ADF4209AEBF97B6104F780FD5693BD5DE58BBA68969678150C7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.996{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.991{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.984{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.982{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.971{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.964{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.937{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.917{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.908{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.895{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.886{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.880{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.874{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.866{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.858{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.849{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.846{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000126590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:17.511{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B1888BF37E9AB114FE0A95A8EE0EB6,SHA256=74EF5F53949F3547079AF07C6C287A0492180ED95EE565B223A128D890B344A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:17.255{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:17.254{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000155931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:15.342{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61688-false10.0.1.12-8089- 23542300x8000000000000000126642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.573{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC618C67E278AF7FFB379A1DD8BCF9C,SHA256=E08AA05E5D62EDA4EA93D7EFBA8D6EE76C4F83FBAFFCF34E32491CE700ABABF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:18.978{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:18.978{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:18.969{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:18.969{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:18.391{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8948B7C7BDF46DA6EA4D5E32BE200F,SHA256=F99934124D961C04A9A43FEE852AFF771F3FE3D6BAFB0DAE8BD337CD1C6F3EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.397{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD5AC858876EA172F55D9D45ACCF77C,SHA256=A6C4BD3AF4003DB0AD91542EE1972520D6044F90F785A68C843C272A70789BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.128{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.127{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.126{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.124{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.122{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.112{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.111{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.111{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.108{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.106{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.103{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.101{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.095{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.093{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.079{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.068{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.060{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.040{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.035{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.027{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.023{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.021{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.020{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.018{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.017{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.014{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.011{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.010{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.009{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.007{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.006{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.004{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.001{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000155940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:19.402{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A80A0630DFCB47D7E04E4C727B0058,SHA256=D99A603615695E29084EFC610A40C0EC6DEBFEE84283E98CADC227DB08A8576E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:19.648{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5806481CF639122DE059489C4002F6BD,SHA256=AA3DF207DCAF6FBBAF6CB37ED23D9BC15EEC68CC34AB39039DEE0E6CBB3A3C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:19.157{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:20.717{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F2D0CB5F09C3D375479E1B1F2D25F2,SHA256=386856A26A20C1F0DCA5A4E2A377649643B3DC74E670B8849EEA4B5E0FEEBD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:20.676{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=987B367DEAB84B97C01F84DC7A0B70FF,SHA256=42B912A959650BD2AE9FAE216C0391723AA2A512610649567E8DDBD1AB83F9A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.922{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.922{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.922{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-207C-6323-0814-000000007402}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.915{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.915{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.915{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.914{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.914{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-207C-6323-0814-000000007402}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.913{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-207C-6323-0814-000000007402}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.912{6820D070-207C-6323-0814-000000007402}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.515{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D53EE6690EA4FDE62F0FF302F0C6EB,SHA256=0A51960CB52C49AFBC117376383C12AD8360B153537CE07685E8E0793DA3893F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.247{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-207C-6323-0714-000000007402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.245{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.245{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.245{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.244{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.244{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-207C-6323-0714-000000007402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.244{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-207C-6323-0714-000000007402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:20.243{6820D070-207C-6323-0714-000000007402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000155941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:17.636{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61689-false10.0.1.12-8000- 354300x8000000000000000126649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:18.115{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000126648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:20.252{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:20.252{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:20.252{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:20.232{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000126655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:19.170{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:21.703{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C331A4AD7C3598F2FA840B83F69C2C2F,SHA256=309CC07B2EE075C7A2FAC5028FA4BB565D49C82F496C231875410E4199F3861A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.785{6820D070-207D-6323-0914-000000007402}25961976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.697{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.697{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.696{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.696{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.696{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.696{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000155973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.601{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.599{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.599{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.598{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.598{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.598{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.598{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.597{6820D070-207D-6323-0914-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.530{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5B988E7C67DF33B8BF1F5C7A938DF9,SHA256=B266B5C784A6F5319399D94BC50B97CBEDC4D5A4288DD26A73C71819002708DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:21.452{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6881C12C96CCE4C1A9F4EFDC210EACAF,SHA256=106D841C0F62504DE3B986A2D66993E5CBEAC00D2F29DC344C6820FDD85EC08C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:21.233{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000155964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.253{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD45A1342D681E616C42E8258307BE25,SHA256=411D1820D65ABC03850E4A764B745A8094AFDDDE9C5133E4C486E5A4F69B96B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.134{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000000FF957B)|UNKNOWN(0000000000FF9501)|UNKNOWN(0000000000FF9475)|UNKNOWN(0000000000FF939E)|UNKNOWN(0000000000FF92AA)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000155962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.114{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:21.098{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000000FF957B)|UNKNOWN(0000000000FF9501)|UNKNOWN(0000000000FF9475)|UNKNOWN(0000000000FF939E)|UNKNOWN(0000000000FF92AA)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 23542300x8000000000000000126656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:22.736{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F835E3670A3FDA58893E2CAF07D30F6,SHA256=EF2C5A372F18D241683B38D790A73BB5B59A9CA2B12CC330D876236699FA1C92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.984{6820D070-207E-6323-0B14-000000007402}40244616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.805{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-207E-6323-0B14-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.803{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.803{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.803{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.803{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.802{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-207E-6323-0B14-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.802{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-207E-6323-0B14-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.801{6820D070-207E-6323-0B14-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000155990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.544{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C426576E0489489D29E0C0FE3D233F,SHA256=D9AA539B96B192D988B0503BC1F6834EF6E94BE83F7AD8D748A9254008914974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000155989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.270{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-207E-6323-0A14-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.267{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.267{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.267{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.267{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.267{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-207E-6323-0A14-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000155983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.267{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-207E-6323-0A14-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000155982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.265{6820D070-207E-6323-0A14-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000155981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.071{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(0000000000D1D11C)|UNKNOWN(00000000162287D2)|UNKNOWN(0000000016228713)|UNKNOWN(00000000162286C7)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000156009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.638{6820D070-207F-6323-0C14-000000007402}54367028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.558{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADC16717075A44D2C0F34DA9DA97A20,SHA256=E7F144CA60F3BA986BEFB871C5860722AAC1015F22E214ABD59C7A9B1B2E0FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:23.807{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4853C54F5832F608E9CC5AD4724A530A,SHA256=E93848B97EC45E36DAFFD16F49A25ED6E7C2683E32E19A018E161B06AEA8C77C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.471{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-207F-6323-0C14-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.469{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.469{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-207F-6323-0C14-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.469{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-207F-6323-0C14-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:23.467{6820D070-207F-6323-0C14-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:24.835{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCEB9EFF1AB5306939767F41A75F5DB,SHA256=7DEFB62035CEAA78533C9D538D6C518080649EB6F7066042C40E8980CB9A616B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.572{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4597D789B2B8C913208D68515AC8DBA6,SHA256=42E7415DE5F29A95553C82A7DE5C89C7812FDD0E4B06B188C9FB4942B7DB7412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.324{6820D070-2080-6323-0D14-000000007402}51727456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.138{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.140{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-2080-6323-0D14-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.138{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.137{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.137{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.137{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-2080-6323-0D14-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.137{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-2080-6323-0D14-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.136{6820D070-2080-6323-0D14-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:24.042{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5B56B7CD4D355292A9777F4DCA142E91,SHA256=61075521F0B93ADED696455089D5A2440545E49DE0CF29EE26C0AF3CB941E3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:25.910{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D887E8A99298552F5BCE3ED1CD9F92DA,SHA256=EC06BE3FA6D7FEC7867D2CCDDB7FD7D0F0CDCD3B7DB176211160F95D4BF12BC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.607{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.606{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000156043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.588{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007F2FD223DC3E2717477C3AB89D4A6A,SHA256=9F2FCA9859CF578E7721ECB457F95BC909409C72DAFEECD853D885C64F970E25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.221{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.215{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.203{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.199{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.192{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.189{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.187{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.185{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.179{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.150{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.136{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.132{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.125{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.117{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.108{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.098{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.089{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.079{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.072{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 354300x8000000000000000156023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:22.699{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61690-false10.0.1.12-8000- 10341000x8000000000000000156022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.032{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:25.028{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000126661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:26.961{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A96EA0CE9AF1E3EE59575ECC63B5D5,SHA256=137169D8E40A4F938B94A47676C74EFF6AFAB3259D1A77AAF3BFFEF288043C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:26.600{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6394215B031428D672A599BDA807B29C,SHA256=4796C49305F3D82A30455956B10F233197BFD1842DF862A9DA1AD2B150B7F369,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:24.179{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000156051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:27.619{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:27.617{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:27.612{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:27.610{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000156047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:27.608{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE14849E8165ABA9E38DC46933A903B,SHA256=CB5E27F6058DD4699566DB0E31A5C38C6892E74F52C7F7A89879DE52BBEADB63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.682{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.682{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.682{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:28.016{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4DD35EAF07B94F6E70CE3339A688F5,SHA256=DCED6BF640927591AA92FA7DB0D023051E7562591FB096C055093032926A45FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.341{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.339{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.333{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.331{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.330{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.327{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.325{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.323{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.320{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.305{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.292{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.290{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.286{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.272{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.267{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.266{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.263{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.261{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.258{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.257{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.257{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.250{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.247{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.239{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.237{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.220{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.219{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.199{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.191{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.161{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.153{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.143{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.138{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.136{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.133{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.130{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.127{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.126{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.123{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.122{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000156052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.120{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000156097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:29.744{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AC93A41B20D649BD3FB3D6405DD0ED,SHA256=B0E385E195EC029CA3181D2A9F05DE3B9394DA2F5CB73470708484B5E295E133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:29.066{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7571376C1725864CF76830D002919C,SHA256=E6533593B865E34E30C02647557DF37FB9F2A5CE38E29598F99BE5425E946675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:29.234{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A31247993B63F3CE7CDE9C52F7C9E9,SHA256=B0A30D2813D57909A706F096F57AD1D48E3D18312A09F097B4C3BDF35CF27E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:30.755{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114703B796EA6AAA45CF9A19DB9259D9,SHA256=ADBEE772D1940E02AF670E46B3314F9356744B2D24C508B313A31CA0927E1593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:30.721{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=6A924DBF50F0E05589CD0C238636ECA7,SHA256=3888CE38EF010124C4AA0501415DDC186E8BAEDA1D1133A87C1721A60F3892D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:30.152{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F954723EB15F0636C8019E81868F1316,SHA256=5B8F730E2D6CEE57678C86E762FC86145AAA5424B8265708FFB6876E45ECD5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:31.763{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BE58E006CDE74464A06D1093785BA1,SHA256=E75A305F3941FA813325147B1689985DA6FA204F09C9F9D8EA64E5196356BA2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:29.223{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:31.197{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DCADC1B86D622C9D70E2D7DAE6AF71,SHA256=FD896FF2F2DA0A8CB294A00BD45B496F1B88306413491B8FA8B21CCFAF10F9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:31.132{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1CE20DEF7DA03894B0CFC1254F3344F4,SHA256=F2C51E1A73A8932DF7F1855AC5E0E86AC31DC69F37A18515508794E360AA868E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:28.681{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61691-false10.0.1.12-8000- 23542300x8000000000000000156102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:32.970{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFBB6A5B2EE26CFE36496EBC1579F45,SHA256=BCD8241B6F052050AF1A9C2166D62DE5714D794ECA743200A7931A060C00406E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:32.272{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2ECB21396571FE5E56077DE517DB6F9,SHA256=6AB3EC12C3FF2F09F2C57EEFA62FCC5C25F141652402287072ADBA306918A4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:33.975{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C1AD418D78852F391DDCFD821B3E20,SHA256=6C275915EEC06E07AACB439D72809A02C36B003E88CF3D56A5C431F91E495965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:33.341{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3799F40852168845C931D77977AE9616,SHA256=FF37A29EE0BB07535091E5B34EB5936E0668FBDBD1692D94185FFF79F85B5947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:34.984{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11103338A7E15D6C9768FE79E900DF13,SHA256=C31B7C1BD9B22CD41C11D5C4DC3F4575F044C34AE2269FD8D41C27D7CA88DDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:34.403{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F8C5EABF286F609CECA5953BDB9033,SHA256=852E1DF2C12B3FF0C07F7B678BA3198E43C60D3C383EC25B9F7BC4E3C99890D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:35.994{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89CC4E790090E212E3CAE566802A941,SHA256=33131BA7A59BBF377B0A32D60126B0092F506EDA857F1D13614B60010D23E2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:35.505{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7E108D7FC7C09FD22F62D787AFC75F,SHA256=904D0136A07C097CDA6720060D6C7BC7364F7542317F6D440C9D79ABE2A342B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:36.590{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADA94BE100427FE344DD7BCA7A68BFA,SHA256=E71124F444668AF5FA2933CF6C5587EBAADCC24BE98BFB39877521FB9FA6F156,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:33.739{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61692-false10.0.1.12-8000- 23542300x8000000000000000126672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:36.433{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-312MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:37.851{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=223C0170B7E35A0B255059D9F07B0655,SHA256=5C3A3844E0D5EC822F9AA0D8F19BA96E084E6914C08879B6963595205D4034F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:37.002{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1627EEF8901360E7D442D1BE7361543,SHA256=77CBD4FF76AA9F11AF5E001FC6D4973784F383C64C022D8D392D36BFE036D14D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.992{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 354300x8000000000000000126688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:35.201{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000126687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.980{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.953{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.937{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.930{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.923{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.904{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.897{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.881{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.869{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.855{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.841{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.838{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000126675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.664{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28ACC5E42C9EECDEF07821F52B4D7A7,SHA256=063391A27BFB2AF662830A53C5BCBE10B4B15E09F48EEA7DC16501F19A199856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:37.434{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-313MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.766{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3DB7F17EAFA277D4108808967B196C97,SHA256=CEB812FF5CBAB176F2B5E75AFB238FC7C2987B944D31F1CAEC5D32F604475E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.710{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A02FC5AF93B122C0CCAB0D881A7C2E2,SHA256=6CCB51A43C5CBB622A87A9F6ABAD4599CF614370E32513DBFBEDF8F2697317B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:38.547{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:38.546{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:38.012{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9FA76BCDA43C1F4EA989372F8502CE,SHA256=BB2D6F0A09BCE59EF7E406A81F6232D5039B0461EEDC2E0EACB81F1F9514017B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.309{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B8E622840C2835397D1A662E93EC3B,SHA256=445255F4D17BE56E27F852C6AE5D8B6D8A1E16EC13CC8743FAEB8BAE471FB160,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.202{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.199{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.197{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.195{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.194{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.179{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.178{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.178{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.175{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.172{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.166{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.155{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.133{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.111{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.102{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.072{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.066{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.057{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.052{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.050{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.047{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.045{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.044{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.040{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.035{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.034{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.031{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.030{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.029{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.026{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.022{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.019{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.014{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.008{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000126690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:38.006{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000126730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:39.753{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D15F25FB520176C9A5808FD94D8AE45,SHA256=77F4659AFDAFB0A33BD51A95E54372E939E3BCD40FE60AEB76315ADDA1AE77AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:39.023{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A43519FEC5B4B4C5F3A21263E53AEDB,SHA256=64AA7BF7FEB4710B0C77E2D4F8857263F7B334113C71531EFFB6BF8C74283343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:40.815{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09272B6283B7235BE9A9EEA1C15C85F9,SHA256=3145302BF2F72A0C20954C852C88FC8E3D8ADEF86FAB914C83BC17FD3148B9A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:40.615{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:40.615{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:40.128{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B413295301A52F26557D8CE76000ABD4,SHA256=05A86BC84185AC9D048279C44B3A8C18EA2BD884FE477F07A0CBAD60D06F9BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:38.057{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61693-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000156113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:38.057{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61693-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000126732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:41.857{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDAABFA5D736077DBDE26987BCC172E,SHA256=835FD6A96F7E47DB7141065D728E5DF0DCBD9D73F4B7BAC7AB14ECD1A20B58FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:41.137{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6510CE929789F22E228EDAF287267A,SHA256=9DC6F6BB12E8AB66C06D4942816FBCEEA4D1E49751184857CDFF349E92A91612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:42.993{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC50272026D661773BE5E8288EB71B4E,SHA256=2873446C3E39E16E694F3D363717973F0C93119FA0CA56710484680A0A3FD56E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:40.210{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53751-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000156122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:39.568{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61694-false10.0.1.12-8000- 10341000x8000000000000000156121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:42.264{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:42.264{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:42.144{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC97BA3E136AD1E710C1A1C12719EB2,SHA256=F88A54D7BC388C8E174416BD478ED58BC826339A29D60BA5112776FE6F8A7A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:43.155{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16BA100BFB795E31635B3662D46143B,SHA256=2E81E7161A19CE8687E422799CD42859C692889A2FA7FE6CE3FE2EC1077DA148,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:43.142{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:43.142{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:44.047{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66A8D11FFA191F301EE8FD99A7FB65A,SHA256=836A42B08D91E532CB6FAC36653121D98783C628245F47D96884BB5627072C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:44.161{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA6FA323D59926F82D361D685DBD1CB,SHA256=2D14BF4E5A7FE322824C44953408475C649E94B1D609A56262AC1354E43A658A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.665{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.663{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.256{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.250{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.237{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.234{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.228{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.225{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.222{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.221{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.214{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000156139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.176{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4B71D45C200D45C87B90EDFD03AF40,SHA256=DF73EAE61A3EAB836EE01F97CBB4E93CF0F2358EC78B2D8A2A8571B5A09D8071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.174{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000126736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:45.065{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298957312BDB8F0E06E602B26FCB46C5,SHA256=DB046B0F268BA6C165597CE5189BAC2807F43A3DD8A07E4D299FC214829C8681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.159{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.154{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.147{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.137{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.128{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.118{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.111{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.101{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.093{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.045{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:45.042{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000156151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:46.285{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD7368E89611C77EC52D895298E60FA,SHA256=BF12EFC36F5C153BDC07A758E9DC48C453CAD0A47EBBABF07FB76A563DE5B362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:46.127{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0371560C86B7CBD828C7545050AEB98B,SHA256=CCFFAC27D97C6C92A2A7F381C0102CD9CCA0F4124062A7712035637A60CA4B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:47.685{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:47.676{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:47.675{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:47.669{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:47.667{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 354300x8000000000000000156153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:44.730{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61695-false10.0.1.12-8000- 23542300x8000000000000000156152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:47.292{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18076EAFCD701EF7031482AD0A41B53B,SHA256=AE83D74F541A4F3419FB1FE71494E88E972BB07D85E60DAA7897CFD3ED4A6CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:47.170{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C5D0EE4D2E70C2C71043E161B2F5FF,SHA256=047E7E42D642FF26953C53C2C6433D34B37BF0EEA0BEE77565C673A81D8F8533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.935{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=17557EE3C595AF1873B3F51EDABB9BE0,SHA256=EFA559E483840333D75283B98D775D9967F786840730D4477EE1E812E9197883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.886{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2098-6323-D80B-000000007502}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.883{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.883{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.882{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.882{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.882{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-2098-6323-D80B-000000007502}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.882{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2098-6323-D80B-000000007502}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.880{E743DC12-2098-6323-D80B-000000007502}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000126748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:46.024{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000126747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2098-6323-D70B-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-2098-6323-D70B-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.390{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2098-6323-D70B-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.391{E743DC12-2098-6323-D70B-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:48.334{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFE2F2D972105A6304FD1BE08DEEE49,SHA256=883DF0F1868E9FC2D7718E86313CC8C98324A19855B7CCF90F0CA526DB80344E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.629{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.629{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.407{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165BA3AC66C61DD7EA48A619724204CC,SHA256=01028357699B806B17B20C436DAC14F05C8B856FA28EE79EA631E13227F705BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.397{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.395{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.387{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.386{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.385{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.382{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.380{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.378{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.375{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.359{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.346{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.343{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.341{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.331{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.326{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.324{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.322{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.319{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.316{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.315{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.315{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.312{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.309{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.301{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.299{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.281{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.279{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.260{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.252{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.218{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.211{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.202{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.196{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.194{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.192{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.189{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.187{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.186{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.183{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.182{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:48.179{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000156205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:49.612{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E92A5674349A27705946F37C36D39B,SHA256=2F4467BCC6CB1EFF965E6B2C2F568BAEEE067BEB08132E407B59BFFCCC63A59D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-2099-6323-D90B-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-2099-6323-D90B-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-2099-6323-D90B-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.563{E743DC12-2099-6323-D90B-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.477{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D55C29294A9A68C2D9C91A33BCC95CF,SHA256=CD2F213960952130BD932E7D4812502636D4C745A43A2AA15BB97C3273E26BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.461{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22B5E43C660B91FD33B6BD84E0C4389B,SHA256=6026857A3684434FE336F844742AA66665B7502C758F5FF9D02D3D73B390A312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:49.091{E743DC12-2098-6323-D80B-000000007502}522892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:49.007{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:49.006{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:50.643{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F42983DEE35B13D2F8AC766907ECCCC,SHA256=C47B13B0150F57F35139120F8E2E026292C610A0F7444AB073BB0338BC4504DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.878{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.879{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.537{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC370C480618AD61A4CADAD6E71A8339,SHA256=FA5B27686BEDF3DE838F2B0C4E11D923384C162B76D7339C6E33C0C04F69ADA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.377{E743DC12-209A-6323-DA0B-000000007502}54281920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.224{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-209A-6323-DA0B-000000007502}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.222{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.222{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.221{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.221{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.221{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-209A-6323-DA0B-000000007502}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.221{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-209A-6323-DA0B-000000007502}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:50.220{E743DC12-209A-6323-DA0B-000000007502}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:51.655{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E91D522F3B786D1C14A8D2A14052EA5,SHA256=1857C107636C08434D96DE1C3CD38347E539786233CD5D4680060A8D485FC52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.596{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47495370C152C43B82836ED58256BC9,SHA256=8D35A649ED4980500FB835EAFA428F7EB09960095926A7671B15E1CD30B7CE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-209B-6323-DC0B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-209B-6323-DC0B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.565{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-209B-6323-DC0B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.566{E743DC12-209B-6323-DC0B-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.496{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A734DAF704768EE71567144B0FFBD44,SHA256=F6B48BA491673015831B0D7E5B51D8C055C32F242C6B30E3879F6CFCBF113C61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.064{E743DC12-209A-6323-DB0B-000000007502}3120220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.007{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.007{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.007{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.006{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.006{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000126787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.006{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-209A-6323-DB0B-000000007502}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000156211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:52.767{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FABAAEE49348FEE4AF22937DCC0810,SHA256=AB23E13C6DDBEF8C22EFD41F9419FA8F3EB98481981125111F16267438D205A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.668{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678941139EA3C0A7EF95311287305861,SHA256=9E8B5E8A86E7689CA745C865BF48500B0A2D53275AC0C457A6FC12DFF647F485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:50.551{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61696-false10.0.1.12-8000- 10341000x8000000000000000156209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:52.248{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:52.248{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.483{E743DC12-209C-6323-DD0B-000000007502}13882516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-209C-6323-DD0B-000000007502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-209C-6323-DD0B-000000007502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.242{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-209C-6323-DD0B-000000007502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:52.243{E743DC12-209C-6323-DD0B-000000007502}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:53.777{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A3F3DF52FC7A1076443CB08998A6E4,SHA256=E0C78C2AB2941B3423C17A183AD026C99AEDEBC3077C3620D163A064B147B704,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:51.137{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53753-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:53.770{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6670A9802F170D549306BDB237A0B33,SHA256=5E6D5998AA068BD77DA0D4A3E12D0530C31B76513B23B04CB0989EBD1AE63E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:53.230{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FCF5CE015E1F5E148419EF8234CA6FFF,SHA256=129DAAB63262E87777D4A6A4F7A97EF4293B5D46FA5DA3084CBA8B55035DB200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:54.883{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63255AA8C711405BE99E7EDF93514C8F,SHA256=3C322407CC9EDCDF195D0D0EFA7A789EEFEFDAB21D372649B2B5303F545AB469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:54.822{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C63EAF81839C2526D74B98A38D5A56C,SHA256=F15DDE5E23D44958896832DE963C0DF731C6FA76530AB20B0C9E79E60D8F71ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:55.889{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E92B04F525A49693EB73927178F3CA8,SHA256=C8CAEC49B57824A483ED1A3323C13C20154762347D668069FAFCD3C1E496A62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:55.989{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA385C1176B617BD068B152D72048A3,SHA256=90314D83EB9F2C7CFB15370045D6EC3CE868FA13D792C6DAFFC767A39D632D27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:55.932{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+1231e36|C:\Program Files\Mozilla Firefox\xul.dll+cc66e|C:\Program Files\Mozilla Firefox\xul.dll+c52304|C:\Program Files\Mozilla Firefox\xul.dll+c5203b|C:\Program Files\Mozilla Firefox\xul.dll+18be779|C:\Program Files\Mozilla Firefox\xul.dll+1887aa0|C:\Program Files\Mozilla Firefox\xul.dll+1c8a8b0|C:\Program Files\Mozilla Firefox\xul.dll+1de56d9|C:\Program Files\Mozilla Firefox\xul.dll+1887f3f|C:\Program Files\Mozilla Firefox\xul.dll+1c8a8b0|C:\Program Files\Mozilla Firefox\xul.dll+1e3b9f6|UNKNOWN(00000104A8127F45) 23542300x8000000000000000126818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:56.924{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4959BA3B0A70C30B9CA544753241BE6C,SHA256=54D8F6A98BDD812FDADAD9C63037234FBDD5263DE8DC78AEDF1305F20331C651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.997{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FA03245430E572C47160305396E580,SHA256=09F61699A41463E841732FD92BE495A71117F296668C7EC5600CD713FB37D0D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.997{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.993{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.990{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.987{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.977{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.975{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.963{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.955{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.920{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.918{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.911{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.903{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.891{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.885{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.877{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.865{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.857{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.848{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:57.837{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000156227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.681{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-322MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:55.635{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61697-false10.0.1.12-8000- 10341000x8000000000000000156225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.340{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.332{6820D070-DD04-6322-7906-000000007402}26565496C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.331{6820D070-DD04-6322-7906-000000007402}26565496C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.331{6820D070-DD04-6322-7906-000000007402}26565496C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.322{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.322{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.321{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.321{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.098{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05956033CE2BD15ACB4E0829ACB60A83,SHA256=0138437F3E5D173330AA31CF5DAA09BD44FDAE69C618DB527BEE496394E0AC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.996{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3806FEF841DC0B1E6C5CDAD2EBF2969,SHA256=3ABCFFEAC85590927D6F62888818936C145E199E0D4227A1CEE0FC3753498706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:58.680{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-323MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:58.110{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7599A7D261EC7C799622E8056A5A2A9,SHA256=9EE6E6F49475D5859D77AD2F19EF30AE0CD86D9D9101C4D90E300CE893CC5421,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.145{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.143{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.141{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.139{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.137{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.125{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.120{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.115{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.106{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.104{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.088{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.076{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.067{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.045{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.039{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.030{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.025{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.023{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.019{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.016{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.015{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.008{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.007{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.004{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.003{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000126839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:58.001{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 22542200x8000000000000000156236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.352{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdcus08.centralus.cloudapp.azure.com0104.208.16.88;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000156235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:56.904{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61699-false104.208.16.88-443https 354300x8000000000000000156234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:56.900{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61698-false104.208.16.88-443https 354300x8000000000000000156233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:56.866{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52468- 354300x8000000000000000156232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:56.865{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58020- 354300x8000000000000000156231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:56.862{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59061- 23542300x8000000000000000156230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:59.121{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192F49E928BE9307BB15F2C507125D7B,SHA256=C470EB7305849C1D0A01ADABA9D57E3178340B7C2909AA51C7184EA569399A7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:54:56.982{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53754-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:00.108{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ED4F4ED86EAFCC2E813C66FA1DB0FF,SHA256=03C43600D19E571B11AF0BB9D8DF5B4C5D1FFC05B8F9829FB2D972D3FBB05479,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000156238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:57.353{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdcus08.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000156237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:00.133{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFBC7365E21F39C42A9600378B77C60,SHA256=711FBD58AE20CAFF35E8073702D2FC43D687A427D08820293CBE4164EC667136,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:54:58.734{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50380- 23542300x8000000000000000156239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:01.145{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141165CA61484F6A21FF42B4BE66BA26,SHA256=9969B4F9344F8E961AA102530E92860C069F8401994397841F8C1672DC37AB9E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000126874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 12:55:01.200{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c902-0x5e0617f7) 23542300x8000000000000000126873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:01.159{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C66B28EEA89F25FE728BF3AF8ABC5A0,SHA256=22DE58127DEF50F369CFDF22FC2E17DF61058ED98A2BBC1705B606FAFAAE907B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:02.236{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95419BE3BEBA1B8B9F4FF91DD4F4269,SHA256=69E984A6CB532ED8800218DCD9D755A6A64E123F9708BD4B3167ED591C708D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:02.155{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78A25D62A402CA67714AE93BE0D7854,SHA256=7CBE8AFBCB25D34EDDA22AA22774E98F1776EB3FD78940BC237B399BB7328BBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:00.153{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000126876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:03.305{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BDCD1ECF51FF51DB91B66060780FB1,SHA256=326009E26889483215D0995EA492DA9C7972579B423A79405940AC197007085B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.873{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7581F460592DA3A5903EA951CFEFC37,SHA256=881858F6B425BE7182505BF9BB8992369ED1F207C3F261DFD8689379332E59FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:01.549{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61700-false10.0.1.12-8000- 23542300x8000000000000000156249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.165{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DDC4F3C3D8DFED4CB8C9A1F2AE571F,SHA256=8F07D24C833E45C098CB0F8163FE31EC8339C8B94AB3F494C5D2B3F98BC96086,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.059{6820D070-DD04-6322-7906-000000007402}26565496C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.059{6820D070-DD04-6322-7906-000000007402}26565496C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.059{6820D070-DD04-6322-7906-000000007402}26565496C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.054{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.054{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.054{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:03.054{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:04.392{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26CB6BC8A3C39C00E67463AF3F5BE7E,SHA256=33F003155AF20C8EFF68EA36967D3291F98FE20AFE12366012573D6A6FCB3B1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:02.302{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61701-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000156253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:02.302{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61701-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000156252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:04.172{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD1C8E116C0E32A6F9589A84AB5227F,SHA256=5CB40E3CC7BBB7959938EC66478831B0666A8A829787E5EAB8042416B87D1A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:05.443{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709B97E6C6CC9EBCC89B31023A516D16,SHA256=EA5D086611C686284752E272AD704DEC9F21D99B4C538DA086EDFFC915DB0DFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.599{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.597{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.220{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.211{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.193{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.189{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000156272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.187{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5DD18510F79134CB91B1707CBF3464,SHA256=AF72ADB0798251567780D27EBD13015BBB3DD3C87C021F1EF1B56871EC4B467F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.180{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.177{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.175{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.173{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000126879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:02.140{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53755-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000156267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.167{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.143{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.129{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.125{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.117{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.110{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.102{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.093{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.086{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.077{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.068{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.031{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:05.028{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000126881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:06.512{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFDCA7CC1B0FB14E0070D7F8E60F810,SHA256=9223B23D6BEB80E810467FBA791E4C0AF1A7901389DF152EAA365088911D5AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:06.298{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D89130A3CDA7D08FC54B0E5EACD8AF2,SHA256=F49D9765C3E3C68B9C04AAED6D74463796209255E069A787A0FEB83D77797F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:07.574{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC44B5027D409C409F1962417C5D3D1,SHA256=878B4E47DC4A140CCF9A3306A95D102929401AEEB58CBEED8993B6DA517C8F85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:07.609{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:07.608{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:07.603{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:07.601{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000156280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:07.305{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7D758A562DCC6A045BE3DD44640575,SHA256=D680A4428E4B69DDEE1BBEADAB2A665D646A698D3C0DF2DA0757713D8F9EECA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:08.649{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1D2DC7B5DD9321B05B715D328D7D9F,SHA256=02E9E7379C42ECFA7A19E94AA169DD52E6C682DE237103455924B02B7736AD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.997{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACF7A33361F2DBEFF29FB3EDD0D2171,SHA256=C623C93E86B9184AE6CAB565EDB8BA99903DB6E60DE3BB678428FE0C35A2233E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.695{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.694{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.693{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.693{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.692{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.692{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.692{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.691{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.690{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.689{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.688{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.687{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.687{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.427{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.425{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.417{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.415{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.414{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.412{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.409{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.407{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.403{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.389{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.376{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.374{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.372{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.362{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000156313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:06.711{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61702-false10.0.1.12-8000- 10341000x8000000000000000156312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.356{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.354{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.351{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.347{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.337{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.334{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.332{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.324{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000156304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.324{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A429D02271AA76ECBFBE25C326F05251,SHA256=8769E9E91B4D71E21432CE606EB110BD9490CE1B3BF53F46C1C1AAA46A13AF42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.318{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.309{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.305{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.272{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.270{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.251{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.189{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.169{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.155{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.146{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.143{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.139{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.133{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.129{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.128{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.120{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.118{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:08.114{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000126884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:09.703{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1515CEADD3D159708CF574A87827C3D4,SHA256=7256855D5A1C2637CD2F276469DE9FDDD687742971C7EB47227F67768253B807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:09.455{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C4348BE9C93DDCC80155DF40E7A6A6,SHA256=28D4AA23D32E998ECE71E216C811CD6A00F68B090845F82EDB49C5D14FA4B7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:10.737{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6BBC0423B7754D1DFB5ED67DAFC78F,SHA256=27467CC7FCBFCB9A2CA17B70AECB65A7C1A34C063CE7B676316C4AC08B9CD32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:10.467{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FE1BE3BEC1BB4A8D1E1CFA7EFDF7B0,SHA256=DDB38672D609FB001479DE2FE7FF0EC6619FCC552610EAF01E86DD7B765FA03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:10.305{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=C8BAADDDB8ECA4867BFCAE0436FB43DC,SHA256=2754926A8F0EE42BD852D360301BFE746C1CDF99A0AAB311C46A3540CBA41490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:11.783{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD406B5AA011922791E133173EBD68E,SHA256=680EF5ADAA6B2F7BE5D39D8299A754C806866EBA8E047B32B58593D0567073ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:11.477{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7D9DCD80885B6AAC83CB6EA3A4CCE8,SHA256=4AAA38A7A526243FC9B1C96A4C31BC9672CB29B2FE2C3D7133566352FFF4DE70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:08.145{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000156376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:12.488{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D60AF1175DF11D6059C1757A8D66B83,SHA256=BE9CCD185AB10BAA69C2F470513395ED72D1E6636B727499AF1F0EE9A92FE55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:12.851{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AB14AE6933FDFB5E40C43C560DF743,SHA256=6B9D078FFC977F3FEEE6BE5E8298277E5E82912254704B5D0E7DA3E8675C8564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:13.896{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907DFFB8626D2CE04331F8190BC6B7E6,SHA256=6205AEBFB259CB0303E1C07E02F12BC247F0E8E183ED63273700DDC0413B678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:13.594{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367DEBEC9DAA9747AF596B1EA60FAC57,SHA256=BB7BD3ACA2D329E52B573CD81AC8A5F211B0EF4E610987727CB5B1D07411592E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:14.930{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000BE6B21C3808A56508FB7AD389CE65,SHA256=61AE99E95FC9CDBDC6CA4C8CC0CA8F946DF702DFFA47596E7958491BFA89FEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:14.702{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5856257259A7C076220AD2B91F3091D4,SHA256=083C39F66EA1B5F35C2452D7983F051550B3251A08DEDBA759A6BD212FA3EADB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:11.747{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61703-false10.0.1.12-8000- 23542300x8000000000000000156381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:15.863{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:15.710{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A6020C8B953FC0610FB484325930C4,SHA256=8EFF3F31A88E1025A97FE8B7556050C031CD2D44BC9CFE565C7309C879B1DB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:16.718{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499612791D5070AAB2C2503018E84F24,SHA256=5BB86506D82FE9A6B748AB8DB1BB76898E60CA378D7D57ED4FB5756FD3498C6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:14.099{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:16.017{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416D36E1C78D993458B309D7E7A70AA4,SHA256=8674E2B89050CC5A335475C8EDA1B5F9CD316F752F05871EDB9F6F465DCCB82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:17.727{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B85AD87015ACEC0D0B276E4FDF69CC,SHA256=05BE321A0BBA8D544F4F0BBA8E72134A073C16C30607F527A1AA1DF694E25EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.990{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.984{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.971{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.962{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.952{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.944{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.917{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.901{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.886{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.865{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.856{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000126893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:17.094{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68F758C6E4F18A65A67DB8D7827026C,SHA256=49C1AF0A9B2AB24DDDFAF0A60FAA721FE448F22245B7CE073673544441D15A4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:15.359{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61704-false10.0.1.12-8089- 23542300x8000000000000000156385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:18.734{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B318C1FD8647313A7B9A93D628630AA,SHA256=06838085DADF6320C84D358A69BEAD9AE3FA4976E0E06D3966E17F1E651237A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.497{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E64CFFA5BCB69D66FB50212FA9D8B24,SHA256=B7945A598AFC6EC5A1AEF2B9DB0A19071D68B862FCA21CF9AD79E5C780B101F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.275{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.272{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.270{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.268{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.266{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.254{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.253{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.253{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.251{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.248{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.244{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.241{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.234{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.233{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.216{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.204{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.195{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.167{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.150{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.130{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.118{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.115{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.098{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.093{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.090{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.087{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.075{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.073{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.071{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.070{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.068{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.066{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.063{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.059{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.055{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.048{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.041{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.031{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000126905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.024{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000156387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:19.742{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFE122448E174D8880E865BEC0365F4,SHA256=F0A32BE0C88EE28F3DD60E6AF4C9D07CD7CCDBC52A613850684026B7600BBF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:19.198{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBB856D059CAB32C31E5EEAB5E29F29,SHA256=FFCBB7BF09334AD5245A653298357203F3C72EF0BFB8A51707284F4B0C254282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:19.198{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:17.670{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61705-false10.0.1.12-8000- 10341000x8000000000000000156404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.880{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20B8-6323-0F14-000000007402}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.878{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.878{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.877{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.877{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.877{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-20B8-6323-0F14-000000007402}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.877{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20B8-6323-0F14-000000007402}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.875{6820D070-20B8-6323-0F14-000000007402}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.755{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E33A6FC8C5365E0CF8FD935276810A7,SHA256=0FD8EE78F69A16A687BF0715A0D194B3B96ED61377ABB0CDFEB92278EB94CCF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:20.566{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7F8FF397FCF3AA45B5A6663DCFE26803,SHA256=6E95252E7A7443DF77E515167F343EC9282F40BA0D7F2A46D047FB1B2596FC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:20.281{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CD283A730F851C066C6FE124645D45,SHA256=C62D658B48638092A05BC4520DCBF183D019F3A83774753E8BFB8F733C2E6900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:20.246{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:20.246{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:20.246{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:20.232{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.203{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20B8-6323-0E14-000000007402}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.201{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.201{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.201{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.200{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.200{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-20B8-6323-0E14-000000007402}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.198{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20B8-6323-0E14-000000007402}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:20.197{6820D070-20B8-6323-0E14-000000007402}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.771{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79CB597487AD501129772B8196AF0D4,SHA256=894621243CB230F0C163FC52146052E0E3C6D6E7D24DCC93345EAC6872FE0A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:18.138{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000126953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:21.377{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCDF88B8C993EE7DA5C39F15D5253E6,SHA256=83FDC7C39A1B263D2B5696B23BB9FFE70669EFB5F63E5C0045A01DE04ECAFCE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.738{6820D070-20B9-6323-1014-000000007402}70647172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.551{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20B9-6323-1014-000000007402}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.548{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.548{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.547{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.547{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.547{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-20B9-6323-1014-000000007402}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.547{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20B9-6323-1014-000000007402}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.546{6820D070-20B9-6323-1014-000000007402}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.296{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8A0F420F6444903886DED4F8307D11,SHA256=804BFAB471B07028B87C63FF4DE42FD9565B920A11FEE34F766619AE259E551C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.080{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6BDFD4BB0299588D48996BE17AB0A6F0,SHA256=C2D5258995671CD9EE9C15346CBC7ED73FF33848B031ACDEFC44F51819654B1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:21.050{6820D070-20B8-6323-0F14-000000007402}48686496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.890{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.888{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.888{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.887{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.887{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.887{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.887{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.885{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.784{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3D622B45E86F33EC4E50B217F3E88C,SHA256=EB4E310D16AFBF42879CD6FBE02FEC9FEE1B633B77A4662A9F61CB9A460401C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:19.174{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:22.446{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F081CF370461C3C585CC687B5B0BE8BF,SHA256=CE0A1C4B22BA353CD608BE27872B525C328187ADAFB58071596682AE6B475CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.216{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20BA-6323-1114-000000007402}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.214{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.214{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.214{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.213{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.213{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-20BA-6323-1114-000000007402}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.213{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20BA-6323-1114-000000007402}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.211{6820D070-20BA-6323-1114-000000007402}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.800{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10816F525F4C6D2FAF1401641341B59D,SHA256=F60B439F995D6E7D20B219BB90BD9E32779DF61873F6A7008AD95D6CB77D103A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:23.507{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FABDCC8636896BB922CE387E10A444A,SHA256=E399EBB51F4D6BDA934420DDDD76759F749F301A98EA1B5C60A5CAD0202B81EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.764{6820D070-20BB-6323-1314-000000007402}11363056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.569{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20BB-6323-1314-000000007402}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.567{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.567{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.567{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.566{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.566{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-20BB-6323-1314-000000007402}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.566{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20BB-6323-1314-000000007402}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.565{6820D070-20BB-6323-1314-000000007402}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.437{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F6C2996D735CA3B1D3DBF42BCFF7472C,SHA256=D0056B766D1BA89B845BDD3144BF054345F986496DADF70102F4655BA3079B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.119{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.119{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.119{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.119{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.119{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:23.119{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20BA-6323-1214-000000007402}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000156462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.813{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891D5732CDD829E4D45E4C35D236A1E4,SHA256=53E80596B64B2EFB7EE3CAA98A722476475B4B447819EBECECAD024D93F0E0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:24.564{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EB93C72DEBAC657F3FA3D790B9B498,SHA256=A4D06B008C3B7E99DB4E063BAA25B7D6419E2E05C268A434D4794DB9FF472F4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.426{6820D070-20BC-6323-1414-000000007402}55207452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000156460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:22.736{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61706-false10.0.1.12-8000- 10341000x8000000000000000156459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.238{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20BC-6323-1414-000000007402}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.236{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.236{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.235{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.235{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.235{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-20BC-6323-1414-000000007402}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.235{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20BC-6323-1414-000000007402}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:24.234{6820D070-20BC-6323-1414-000000007402}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.939{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B873738B7FF3659668EF3B836DB4B99,SHA256=BB4726AA8F3ED11794C25D59E61ACAB058C397ABA0FBEF641B88A3E669E4E91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:25.610{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D620835C07E7744D9B999E8F950BF4,SHA256=5566250D972FBFEE4605DAE48F3B632C6FEFC71D107AB16FBFCBA666C2BEB560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.598{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.597{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.220{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.217{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.206{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.203{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.198{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.195{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.194{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.192{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.187{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.163{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.151{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.146{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.140{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.132{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.125{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.116{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.110{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.101{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.094{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.031{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:25.029{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000156487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:26.945{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66C1F57413C44BAC9291B841F5B39A4,SHA256=A75CCAB63397FDD0BFF213D31C42F0B1CF344876C3B5E6A52C417461A869B3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:26.736{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEDBC2BF3727FF58C6E5BD7773F6AB3,SHA256=F900A8160AED485920DD335914ECE6E9F0977C55764CD420FFE8CB5F0D7015D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:27.772{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CE7329D34E38CDABC34278731E4A37,SHA256=B18503D6BAEC65253CFF844ED5D3949B9D68FED5C3A335F609503255DEAA0514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:27.607{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:27.606{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:27.601{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:27.599{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 354300x8000000000000000126961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:25.179{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:28.858{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9375D1474F1A3A580CD8D6C4DCE5076,SHA256=F73099529A5CE255E520BBE6B2DA95DC17DC44FF2982B10454EE1FED8AD1ECAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.896{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.896{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.369{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206D-6323-0614-000000007402}5780C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.368{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-206B-6323-0514-000000007402}7932C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.360{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.354{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.351{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.347{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.345{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.338{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.325{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.306{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.285{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.283{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.281{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.270{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.265{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.264{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.261{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.259{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.256{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.255{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.255{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.251{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.248{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.241{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.238{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.218{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.216{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.199{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.191{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.158{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000156503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.156{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD797A6D964A06EC392A468A4BBE3A9E,SHA256=E5A57260AEA811E94EF99AAAC73B08DAC63B1D3F25901EAFB7065DA9404AC789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.150{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.139{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.134{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.133{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.126{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.123{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.120{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.119{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.114{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.113{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000156492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:28.111{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000126964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:29.959{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0182657701F89797BA2C204CB9459326,SHA256=23DBB6105E0435B1CBB05D7570408AE7389F3EE15AA591DCDE1E5E9BB564A1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:29.587{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4226F249E901CB22885DDEBB29C45D92,SHA256=4DD6BF01E8B21976C13B54642C7F84F86879C9173789434E2C4C6978FF34CC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:27.755{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61707-false10.0.1.12-8000- 23542300x8000000000000000156538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:30.489{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791E69B58E463C2B352620E38260C6C6,SHA256=D69C1DD14EEA6ED1A42FC75B060207F74738D69F1ABDD49C33813BB662DD0F6F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000156545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:55:31.601{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000156544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:55:31.598{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Config SourceDWORD (0x00000001) 13241300x8000000000000000156543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:55:31.598{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BDD44E51-425D-47BA-BA16-AF37623148D4.XML 10341000x8000000000000000156542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.586{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.585{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.498{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F85F0524298F27FF85103488B33DD1,SHA256=77D4F8C87B453DC19A9B990711F3B2A0E1EBF71FBDAD5BFE6237C33C2235C231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:31.063{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4887F5C3EA88DBF050514A48528E15CE,SHA256=7054DB65BE25170F4C0B737AF3488A718AFE88074B01ED5177BAFADE16CA9586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.133{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B9AE67C0E15129BF5B10ED24C2981A4A,SHA256=CACCD11512D7697B75403A1F9A875E8F388FAA278496FA0767AF63C3CE4DDF96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.740{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.739{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.506{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300A2B0CFF770A39EB14B32D0A97753D,SHA256=46563AB7727BD11B7BD106346874FB0909AEC6333DB8B58140E67EFD12A1B790,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:32.406{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000126968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:32.406{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:32.406{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF126c935.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:32.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDE01C42AEB05A9878A7C6EEC2F7D9F,SHA256=251A03F543B40D366AAFCC3FB34E51E57F9FBA5E70D8267DDBFF909E16AE9D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.430{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.428{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.428{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000126971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:31.189{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000126970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:33.248{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BDE235AE8722910EF04E0B29C3127E,SHA256=867A8AF81C9276976476B0EF26EE6487B98E4BE7EE98CE814CEE2A5947C7ACF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.933{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61709-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000156561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.933{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61709-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000156560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:33.518{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBEDFF62DCD6D5237D43B80D7F114FC,SHA256=EE8888CBF15BD186DBFBE5FDFAF5E83E4AC3E4E7048D1E83B2EC33E363986EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:33.487{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41006FD0B43C69951CD5079CF1BF62EE,SHA256=FFB8887DBF7B9EA98C18E216B47AA1496A80030C65E794011A35618D8EBBB775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.112{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:7805:3900:f880:ab2f:8c94:ffff-64899-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000156557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.112{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local64899-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000156556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.097{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61708-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000156555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:31.097{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61708-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 10341000x8000000000000000156554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:33.260{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:33.257{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:33.257{6820D070-D2EE-6322-0B00-000000007402}6282228C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:34.298{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E73728DFBF74299D24EB8BB704F94A8,SHA256=6AE50033BE84253C9DF276250767EFDFEB46802B65D7026A8CA28E9D6A052FEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.763{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61710-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000156564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:32.763{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61710-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000156563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:34.523{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE09838985A921BA7A128FA3BC44D12,SHA256=93EEF317E9D0E129B40F94A2DF2E427CD1A4349F9AF87F6C22C22068703D0BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:35.399{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3DC223AE508E2FA3BC86C04A59E047,SHA256=F60C30D6910AEEF7D0BC59337F9283BC7773AD45AFD56FBD632AAFADAAC431D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:35.629{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA670C7ADB14D1E62C7FC9691C8EEFAA,SHA256=C6537C5E5780345B872F7107F182AA90243486527E750F28F2664F79283879B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:33.582{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61711-false10.0.1.12-8000- 23542300x8000000000000000156567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:36.637{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07B56CD535D6BAB68AF3B1C9990DC77,SHA256=3A57473F734752A53E5FDA95CBEE214A75AAA4CA19CB6F69E463DC68CB37B716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:36.452{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA07283040C3E075FB000E58742ACB0,SHA256=3005BE4CDB5182D8315696DCD58E3AC40B3F52FE4ED1C1170109E04CEF0F2E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:37.738{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DA8B1604B161C7AF702086132299F3,SHA256=DAEF690CA937E97D0D513DAAFBB18EEFCD648D05A4243718B72ADE1D4EC3958F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.998{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.994{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.993{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.989{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.987{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.981{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.977{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.974{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.971{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000126991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.964{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-313MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.959{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.956{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.940{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.934{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.908{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.901{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.894{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.887{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.878{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.871{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.864{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.856{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.849{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.840{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000126976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.837{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000126975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.470{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5307C33D0E9B0D5A21BF81DBA0F882,SHA256=98590B10974DF16FFC1AF9F8F1B8391B2887B957828DFB515A574BBA67F3E5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:38.744{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C163253D7C093301861F78CE24884A,SHA256=A59CB5F2757FCE4D808DE7044BD1AEC0A87EAEDAC3D25FC354F4A544A2A4D945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.956{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-314MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.770{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B65F5A508033E7568076C9C9ACC0A8F5,SHA256=D57B5226A0C24DCBD69564AECA2C8ED81F46151E4A24CB7C4B4D351CFCC8A8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.654{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B3A673CAB77A0B4D2C083060D93782,SHA256=665662010D9E0D9DE986B25FD06603E08C6528DD44286932DDE6728655286E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.654{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4147EDFFDB06664C07E0AD286BE56B,SHA256=AB46FE59DA86472F37EBB9910AEB95B04B346C66B86D1E48B7D19CA91A2DA186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.179{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.177{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.173{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.171{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.155{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.146{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.140{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.134{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.132{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.118{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.116{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.089{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.073{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.064{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.040{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.024{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.014{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.009{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.008{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.006{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.003{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000127002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:38.002{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000156573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:39.909{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:39.909{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:39.847{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DD3B01767CAA1E444B30DA637B2B3C,SHA256=28579BFC1E3E5849E8C99B0F8CCA967C125BE750A00A65BC8645E9460E055E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:39.739{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773CF14D405C4C3D1CF150906756FB42,SHA256=E33E33C5AF4DD7E90AABED053B5C3A991B7184409C69E8D1CB8159D21AE285B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:37.121{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000156574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:40.950{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8729709100FD9FABEED95D4FFE3C0DDD,SHA256=49B60BF92B9EFF608E79240FDA4F964B989D10AD4F7D228171638785B343B5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:40.815{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C065025E71E4D15CC24EBB5C02D0A231,SHA256=2983E4B811AC99155BC548371BDF8C4EC7581BA20A410F8E8A158CFD60FD4F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:41.882{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC46E666F3370B54DBF9ECF6A8DD7A9,SHA256=1B01859F8910956421AB683B5FCC4C13CEF45F5B6AFB3281595BC41A65DBE7D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:38.659{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61712-false10.0.1.12-8000- 10341000x8000000000000000127036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:41.615{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:41.615{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:41.614{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:42.952{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0268D5234898551A6BB4F514ACAA08BE,SHA256=DFF46D70DB6A251B172A7DF8F6ED0C72618345789F63BD66C77F1342202E57E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:42.055{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A9400FF57F78413E6E53C578D9EEB5,SHA256=2B1AF928CF2A0202007B22B5CD7169486CAD49DBD9883552CCBB2EAAFC7A1A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:43.059{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA5CBE5922E3A9C5A9C77B15C7A46CA,SHA256=BFEC2D14615846DEB785177EC7E0F8ED24099E741A58F5B16685422EAF400BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:44.679{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:44.679{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:44.164{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B2E286742971F114BC6201D4109027,SHA256=B6F3AE1C82FD85FBA0AC4B90ADAADA96350D7BB80084B8719070F73455D14095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:44.000{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AF473DF82ADEAD0B6A8BAD1E4804C6,SHA256=51B361F0B6B4FE35F5AF9DE5D1D0DC010AFA92E29ED5DAEC7CB84A85B6E3A0BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:42.220{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:45.101{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4507AD76BB683B3CCDC981C3EB1DD96B,SHA256=44F81F580FAD777AFC3E70FB0B672A47CCD13C2CD6E0F604CC8ADF36B385D4BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:43.711{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61713-false10.0.1.12-8000- 10341000x8000000000000000156604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.677{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.675{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000156602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.278{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263FAA4357CA8EF79BC6922DD423C409,SHA256=E6B52DED9A2D57DC0D5107CF2E3926B80D26F2064E8105DC8277D6C6AA2EE37C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.272{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.254{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.228{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.225{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.215{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.212{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.210{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.208{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.203{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.166{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.153{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.148{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.142{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.135{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.127{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.117{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.110{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.102{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.095{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.052{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:45.048{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000127042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:46.120{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE183F6DE32DF77FD5B25AA0657B4EFC,SHA256=F892B526156579631CD820138960B752723614E3110B36EEFFADC610DF38A2D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:46.878{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:46.878{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:46.286{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7356ABD7BBCFC8352ACE9AC01FF411F4,SHA256=4D7882190D9DA08E805AF8A65D5E7984039E01F7F1F5ECAB36397246FF709051,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.689{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.688{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.685{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.683{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.681{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.601{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.601{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:47.389{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3835913D91CEB3D436E20A5BE7D8495,SHA256=FF52C00CCFB6039E0799FDA95DEF3680BA16887AB65ADF96541623A29F764229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:47.203{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF983B0C2C143453E06C60C70F4CB8A7,SHA256=9520E3CD3A413DAD6F3D2D0C7034D859ECA5AB1E4CD2F7678338D8C484B38A34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.903{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D4-6323-DF0B-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.902{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.901{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.901{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.901{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.901{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-20D4-6323-DF0B-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.901{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D4-6323-DF0B-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.900{E743DC12-20D4-6323-DF0B-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000127052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D4-6323-DE0B-000000007502}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-20D4-6323-DE0B-000000007502}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.399{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D4-6323-DE0B-000000007502}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.400{E743DC12-20D4-6323-DE0B-000000007502}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.249{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C10DD1A98044547ABF25A173DC009B,SHA256=1053014F45AB3067D66979BB701FF44340F418C382230481D5F536FB9EF522E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.910{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CF78EB6B7E44CDF11CC230C3B87D5C,SHA256=E617C4FBFB84BFED92F5AAD7E4048DCF89187776476F670FB7922967069ACED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.841{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.841{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.414{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.412{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.411{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.409{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.406{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.404{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.400{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.379{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.367{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.364{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.363{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.353{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.347{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.342{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.339{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.332{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.326{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.325{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.325{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.321{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.319{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.311{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.309{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.291{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.290{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.273{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.265{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.233{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.226{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.216{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.212{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.208{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.206{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.203{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.201{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.200{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.196{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.195{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000156617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.193{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000127072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.590{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=71BA4E4EE4DB638A651E8C2CE0F928F9,SHA256=D79B4E0EE25AE8C8900825634488B068FF2AD4979C18C1CCE6F2116C6659748E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.584{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D5-6323-E00B-000000007502}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.578{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.578{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.578{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.578{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.577{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-20D5-6323-E00B-000000007502}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.577{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D5-6323-E00B-000000007502}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.576{E743DC12-20D5-6323-E00B-000000007502}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.486{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77C7E18D4FC6F5266181B6794AA3C98,SHA256=4EBF851BF9A8C4C1A9A0360D09D182191CDF628F94C3BF3120A5E72A38C9C3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.338{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5F15E24D6F939A2C73D53645274DCC,SHA256=4B37C12464795C4E95614985987B36745A98A0D4D90C7CBF6C247A5BFC990197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:49.415{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2557682829053C18400105F8CC943293,SHA256=38B7E1C8B1367816CF44F45742E035508F1E952C155EF9D5BAB165954101A280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:49.083{E743DC12-20D4-6323-DF0B-000000007502}44042360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:49.055{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:49.054{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:49.054{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.986{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CC513E8C3B191E453D2A8CB1CB4EFE67,SHA256=69BCFD8D1CA461511DEE5253D846B90A9E1D49EDD4B145E7E37107ED91403462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D6-6323-E20B-000000007502}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-20D6-6323-E20B-000000007502}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.846{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D6-6323-E20B-000000007502}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.845{E743DC12-20D6-6323-E20B-000000007502}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000127083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:48.051{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.441{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4E8B9AD82DA8419D15DD61A9E2FA63,SHA256=0934D8DA0F9516E9C374E665ADDD3348C60B39366EBA502526143BDD075EAC7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.401{E743DC12-20D6-6323-E10B-000000007502}47125208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000156664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:48.728{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61714-false10.0.1.12-8000- 23542300x8000000000000000156663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:50.422{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB742AA231B5B61BA7A0C72FF1B95505,SHA256=09A75D4BE82B6CAFD4AC43D9E6200CC8D3767728104840CB2367AF2311AD2A45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D6-6323-E10B-000000007502}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-20D6-6323-E10B-000000007502}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.245{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D6-6323-E10B-000000007502}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:50.246{E743DC12-20D6-6323-E10B-000000007502}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:51.526{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F972275921D90A5450EA37A9D3128A4,SHA256=9828BD27CCDCE667F3551FF2C2DFDD2301A72AE0987A5D13E77C3691935B7173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.774{E743DC12-20D7-6323-E30B-000000007502}24885492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.678{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000127106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.678{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000127105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.678{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000127104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.677{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000127103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.677{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000127102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.677{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000127101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.502{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.503{E743DC12-20D7-6323-E30B-000000007502}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:51.487{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF92D598B38A609FDD1BBA9572924EA,SHA256=4A21877268297BF7D3B435751684DFD717E93964251117C203DFEF6CF778DF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:52.629{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E5A1271BB0B8C54EC33E36A25F291A,SHA256=2B844BAEF0940BB9FD0AB6BC0261C3337987E655760D04CCA2516EE6C3721F9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:52.600{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000156667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:52.600{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:52.600{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF130651c.TMPMD5=1C1390FB7031B53AF8B5015FEB516BB7,SHA256=7E9DB3FA9C07EFD7A9158EE7BC0183A5F15EBC556C75A7245F742DAFF3D723D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.543{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3571D4386E00369DD319403431FC2C71,SHA256=84DE59A4A6177C159C2CB531CAD16065A506519A9823A92513C25C65EBB30045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.379{E743DC12-20D8-6323-E40B-000000007502}23803392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-20D8-6323-E40B-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-20D8-6323-E40B-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.158{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-20D8-6323-E40B-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:52.159{E743DC12-20D8-6323-E40B-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:53.641{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CD65FA3E441BCED348450492C1D246B2,SHA256=30527DDC0BDFF77C1CA084CD3D9F6723FD56C179EECDE87BB4CF581279EC34E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:53.633{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E1ABF9730461BB47F07A2EE19004B6,SHA256=A9A08BE32AB8F1A8CA7906588EC74A7B0CBF2733374FD5849CE92F6B20B41334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:53.645{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75741A4540730328074D2949A9CA268,SHA256=27413979DC8D2A03DFECEF88D060B74CC6BD93187A861E8FC1D38DDFF1F6DA42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:53.576{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:53.576{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:53.576{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000156675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:54.738{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72387481A7730B968AA57D730513BD29,SHA256=2C6A1812AC0457E6AAD3E6681ADEBD6F1C8FB8F05D9D475B825BE62A497CA8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:54.705{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6564D8B6D2E9405E17050BFB8D2D70B,SHA256=6955F783298F8BAFC00C6CEA5C7C40CB2D7685900BDABE50252E34FA8193ED7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:55.841{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD5438F20F8203AA3076D0E811C21AA,SHA256=54FCFDFEA86981C10F3C480388F5D6A1F2447220DE11300A3B4A10CBED3B46C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:55.780{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC23FCA36F7607C1BB08A51A8550A3C,SHA256=35E4CF4482BE073AA9EDF2405167769A0FF5ED4631D8EA5D3F489F64FA970D3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:53.081{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53765-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:56.809{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756B173A63A2A6DE545E4CCD729F3C31,SHA256=501FE24BA9D8C67DE1EE7913A7587DA66E0788988554D947C8F6F15F75FFD35C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:54.620{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61715-false10.0.1.12-8000- 23542300x8000000000000000156677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:56.851{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FC5E7C2F24C25AA0A0EB93D42D356C,SHA256=EB9466DA7C8B761468C028E1255E44B2B4E3D340EA3DA05248FB8BC16AB0BD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:57.956{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A291599522730CF2435FF55AB6685B27,SHA256=B3548B03A2037BBFFD6545C88F82CAF0D0E5D2FC5A7CC9FF68FB3A5F87BB6C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.996{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.984{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.947{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.939{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.919{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.912{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.898{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.890{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.881{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.868{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.858{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000127126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.852{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28FC6CAA9DE197EBBE5CF88A3CD4551,SHA256=B4E86B2CDA11A3C1FD809A06C4EC90CE9E139EC0BA659E596DD59F26F75E53C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.847{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:57.839{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000127176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.910{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7489D7B54A6EBCE0E8BC613BA3C8CF78,SHA256=332A6A719A3F0213182F8A993F8D938E0039574C1207FEAF151EF3EEBE1CA8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.349{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF6D0DE86CBD8ED15CC4A83961A9849,SHA256=C3F2AC33BB997B5D50C51E2E4E419B3E356ACB4190C1399248CD2598B9EDE4A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.221{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.219{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.213{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.211{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.209{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.195{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.193{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.193{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.189{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.186{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.183{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.180{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.170{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.139{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.129{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.097{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.090{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.077{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.071{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.069{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.066{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.063{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.062{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.057{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.054{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.051{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.047{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.045{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.042{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.040{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.036{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.032{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.028{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.015{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000127138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.012{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000156681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:59.187{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-323MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:59.159{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA9049A1630008AC7421B30EC5FC108,SHA256=44FA08FAB481EC391E7D6BFD01C634C13971966C2FCA22B5A60AC3EA741602FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:00.185{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-324MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:00.167{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB33FA2BD5D9E67E0984E13BC5C8BC0,SHA256=88C2D61D80307017DFA4459962BF4DD1DF58B249A629BCAB79B3EA416F782DEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:55:58.178{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:00.012{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045385B141E67DEC8150E983B8772165,SHA256=50EACC3F7DCBF0F864C874391BF8E049E934CCAB44145D14A8C67B304FFFFFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:55:59.682{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61716-false10.0.1.12-8000- 23542300x8000000000000000156684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:01.268{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43726CD070DED0903BC837C800C72512,SHA256=BAA2D5D5919F31FA9AD8F5FF988E38FF52421AB07753CB1BFC87BEED189CAE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:01.086{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E022B52D8571C0F6D937EF73AE81491,SHA256=86F5D8C730A85BF357D7E2BA258111185D3309DA99F151348AF9C0220A8C1F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:02.271{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74DC9247016A5233B063AADA5BFF3C8,SHA256=7EAC9A90E0665B44D6201D1BF7F92E236EB40F7B2CDCF84A935EB4926C0808E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:02.154{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16B775B4B394201B107E89A91BBF6B2,SHA256=8DFBC7BE42CF7FEAC93BC5CDE1E5FB31CC347709171ADE6307B10CBD80877737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:02.302{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000156689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:02.302{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000156688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:03.874{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3371CDAE3DC05B9474313E39D6979029,SHA256=876B9CED12F7694C375026F97357CDBDBACED67ADE6A11E9219A5EC237D078C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:03.373{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7BE8FAACDE3DB6FB4D908104FE67A7,SHA256=F614F3A8124D277C17BFC3DFFAA5310AC74D76157E512F28F7AF50A8B79141E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:03.217{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF77E793BA7E6EFE9EA539A1CFC99C6C,SHA256=D637706734424406A0C65F5877C65AAD0DE1E50A427DC374E6C8FED756A2BD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:04.477{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D02CE11CF8F42277F629BBACB6DD0,SHA256=60B0BF2E2F003F320846332A9EF713AA87CDAB1F729F71E2EF891E69B1979D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:04.272{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207AA96FD2061654DED675560628C9E1,SHA256=22618B9EA9810E18FCFE6FE05C1D4D7EA9E06CE8D4DC6689A0A608A157896B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.674{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.673{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000156713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.493{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CE205B6955FBA403BFA91B8C818FCF,SHA256=61718F070A77F176765F2CE40405E90D23AEBECD360D80B8D6F5627F1F6EEAD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:03.224{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:05.373{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202CDA6CA8308ABFA583AC6D23AD8F8C,SHA256=83E3273C5716FA99A4D7C5D6DCA6942011688A111CF142D5408E306F62BBD456,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.230{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.224{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.209{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.205{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.199{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.196{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.194{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.192{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.186{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.157{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.144{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.139{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.132{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.125{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.117{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.108{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.100{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.084{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.069{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.031{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:05.029{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 354300x8000000000000000156717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:04.727{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61718-false10.0.1.12-8000- 23542300x8000000000000000156716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:06.600{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5351EB73FDCBFCBDDDF245E02F37A900,SHA256=34073D0DC3924D53408F0B2C0B40214DC13ABE8EFC622178D1666382B6BBCC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:06.474{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C04F5D86D6E6BE2546EF24C783C0DE0,SHA256=CE4FB97E33DCB81E494CCB1441C3DD077833BE8F5CD95E77CEBA05D6D711B58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:07.704{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27523058D1A31D90120B243E1C848FE,SHA256=A83EF97580AD47D3B5DBAFE5E56F98BC687D5622A5C50F48F22B5719FD25E88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:07.686{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:07.685{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:07.680{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:07.678{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000127186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:07.559{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C19031B5D6B289AC5DCC43C7CADD0E,SHA256=26F6BE226656396422FB251FC1D189186D0610E21EF2D902C8E41C88D4EA718F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:08.620{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162DC0117B14044B7C620F7F1D560441,SHA256=4D6FCE09B5BCAEB512AD10816CE1DB3FC4760BF5D22CBE1204EC9AE3D3B614FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.434{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.432{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.431{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.429{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.425{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.422{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.417{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.388{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.373{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.371{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.369{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.359{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.354{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.353{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.350{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.347{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.344{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.343{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.343{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.339{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.335{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.321{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.319{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.299{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.298{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.282{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.274{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.237{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.229{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.218{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.212{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.210{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.207{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.203{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.200{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.199{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.196{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.195{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000156723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:08.192{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000127188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:09.662{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BCA18D1E4078C970E5E38A29AD30C2,SHA256=E8036D22FA6FA25AA0CBEA39772CE850669219721D0627A9E86252FF96CCD869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:09.023{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FA9BA10EF58D65B35E02397968CA06,SHA256=E2AD96F7B1DC17A1D79BA0B967900CFE78D11336969FFF75ECC026F25C0F4580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:10.779{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD14D310DD0D98E488AE3E237473A24,SHA256=329F91CBE07F83F9E080630434ABF85CD2FDF0486AEC554AAFBE36599476FC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:10.124{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B26C8FB7F51E9A1A8A2577835776DA,SHA256=81897F7A5447A3205AEA3D487E32B2933D250C58FF11AD1D7BBBBE191C757B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:11.799{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06E2998920CD94F2F8D08C318B28F1D,SHA256=44BBA251334B307230F8C8359662BB3605B3568FDD192C39BE8917A68CB8714A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:09.752{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61719-false10.0.1.12-8000- 23542300x8000000000000000156764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:11.426{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76664EE68AD7CDC4A80936B57FB8A21,SHA256=2BC15BF11E8FDF15329A2361BD88C56A6DA5D362E57B24E7620D9A7D043B226B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:12.867{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4A4D9FAFFA70025D2B3A4999EFAB6B,SHA256=64FABF4792FB8AAD7FAF7886D2CE1AACC68B3E4CFFC29687D3CF464510DE0445,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:09.161{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000156766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:12.528{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3B68E5E08D90FDB9C5BA17549B3B06,SHA256=08F24281E72C7B62BAE4D3629211DCA19A666532BD8A3B0F2E3B17C4FEC73021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:13.937{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8E614F83AACC21657B02D00F100799,SHA256=062D664CD2852A8BDEFEFC6FC39B9740F9B8618EAA94F2E0BCF11AEF8CADDDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:13.531{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD5DF4B7DFF88919772016693D3AB99,SHA256=E1A8527621DC4397E7435CDA2E0633B0CF9E92DE0C1B99E7FE165FA285CDEBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:14.534{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3605C8AA66C41966587141A1DF8BC288,SHA256=612A61FA4F22E05D9784B33036FED64C88113F82A76CC525487353AC3C4CEF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:15.879{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:15.540{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9125536F605E8B6C2353CE32A8BBABF1,SHA256=6360AE26D86AC1742832ACD7EB0EE1F4C85BEDF1431F5F01E0DA4B727E300E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:15.085{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5EB601CD12C27F753DE2EE642B7D9A,SHA256=A34CC7A601726DF65C36F94A215537DA2810A90FBD112B63567267C0186E7119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:16.646{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DF14F6BC37FE86CF96C52C87652AAE,SHA256=BD32CFAEE00A9C018136F19E7317F4B1937BAAA2E2B376A2EFCAE9A866899F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:16.172{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA8ABA2F8A615901073F91446D8D3E8,SHA256=C213D22F34827C99F94F18E829F8CC62D6EFE115704A3C6E9E210DB02174AC95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:15.543{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61721-false10.0.1.12-8000- 354300x8000000000000000156773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:15.375{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61720-false10.0.1.12-8089- 23542300x8000000000000000156772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:17.852{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313AB54FD22621CFEC303A677BF5837F,SHA256=3DBFE74F2A74F66AB2C24827B8516046DDA66BD5A7B49C138C935972A920AD9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.995{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.992{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.989{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.981{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.979{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.963{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.957{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.934{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.928{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.921{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.913{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.902{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.897{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.891{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.884{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.873{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.853{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.850{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 354300x8000000000000000127197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:15.170{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53769-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:17.273{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D144F566BF0D6EBB5BCC32376FB07C,SHA256=AEAD2D1E959E59E7AEFBC65E71156B7F94F66F479992063574BB9F8ACAE5F700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:18.856{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E81AFD7E1182CC5F81501AB1B68E92,SHA256=6AD2137476930EEDBDF25C46817EB0EFF4A495A5E750F7F6847245282F147556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.459{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D1ACA60C16B05038D30AE567CA6802,SHA256=273E6D7B06FD821D115EE40B69054740E6B66497D1632681FB7CFCFC66CA6BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.459{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80988E49688BC9E085C56C607981E4EE,SHA256=FDEA61A750A354F3A44310191E336C5D3D57B5F8676824A3AD546221CCD8A261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.169{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-1B90-6323-430B-000000007502}5680C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.167{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.165{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.162{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.161{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.149{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.148{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.147{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.144{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.141{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.138{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.135{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.128{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.126{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.104{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.083{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.075{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.052{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.045{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.035{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.029{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.026{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.024{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.021{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.020{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.013{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.011{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.009{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.005{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.004{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.002{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000127216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.000{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000156776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:19.860{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9456D8D77643900C27D498991ABF3DC5,SHA256=B7F95BE5BB130E8C94A028E3BA201AD51AB415D4C61A011FFD8AF8761E22ACF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:19.539{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB3475DC01ACDDD52E8785D943FED2,SHA256=300B69AE90FACDED6A293918BBC56ACF57BE4977868C19F91760AE81F1882DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:19.224{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.971{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F3F74D520EBC5F2C85FFF306030F01,SHA256=50F1F3229AFD731A663A3C57E46E4D5F427D95EE740BBB75A842116F613D8562,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:18.174{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000127256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:20.615{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EA8357EACB0AD5DF9772FF95A39E1F,SHA256=4C41E6F2ABF7F079FAF2960E5B154F3AA0299C2A5A85FD8AE409C0D9F33B1C19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.839{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F4-6323-1614-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.837{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.837{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.837{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.837{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.836{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-20F4-6323-1614-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.836{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F4-6323-1614-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.835{6820D070-20F4-6323-1614-000000007402}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.437{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=00A644EE03153A0C64C42A98D2CAC816,SHA256=81F2DF7C76A2B295ED149420A8CA1668960EB57A8913C7B0FF4E03554C2C2D37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.368{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.368{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.368{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.368{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.362{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.361{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.189{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.188{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.188{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.187{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.187{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.185{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.184{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.183{6820D070-20F4-6323-1514-000000007402}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000127255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:20.254{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:20.254{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:20.254{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:20.241{E743DC12-D54F-6322-0C00-000000007502}728740C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:21.681{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B839CD70DBCAAD7F835B9816339E4B3B,SHA256=3988DBB59BE4C6E41358F32EE40750075550174DC07077E4619DC75AF63FC1B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:19.630{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63578- 10341000x8000000000000000156811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.680{6820D070-20F5-6323-1714-000000007402}40244848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.519{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F5-6323-1714-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.517{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.517{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.516{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.516{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.516{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-20F5-6323-1714-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.516{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F5-6323-1714-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.515{6820D070-20F5-6323-1714-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.221{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A4351FF52FDEC5016006F9827BBA05,SHA256=3816966493238991C520CEAF678646BDCE3D38893493139826DDF1134036E594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:21.109{6820D070-14A1-6323-7F12-000000007402}78967424C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000D667B8F)|UNKNOWN(000000000832AE34)|UNKNOWN(000000000832AD64)|UNKNOWN(000000000832AD3B)|UNKNOWN(0000000000D1D11C)|UNKNOWN(00000000162287D2)|UNKNOWN(0000000016228713)|UNKNOWN(00000000162286C7)|UNKNOWN(000000000810E5FC)|UNKNOWN(0000000008107365)|UNKNOWN(000000000810756E)|UNKNOWN(00000000081075A0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 23542300x8000000000000000127258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:21.196{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=34E55B440ACA7A2723853A60B13F09F6,SHA256=AECBD7F55FC7E47249A4CBF22862CB8D30B82B39305540D38DE3995D69F4C589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:20.179{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:22.743{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FDEA70C4390A955A20E5B3DAF86A74,SHA256=AFAD6EDCBDCCA58EE898312FD9C25D09C4786B7FA8C232A4E40DF5B769E464E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.996{6820D070-20F6-6323-1914-000000007402}81005172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000156838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.706{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61723-false10.0.1.12-8000- 354300x8000000000000000156837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:19.679{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61722-false41.77.117.236youssef5.genious.net21ftp 10341000x8000000000000000156836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.797{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F6-6323-1914-000000007402}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.794{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.794{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.794{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.793{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.793{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-20F6-6323-1914-000000007402}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.793{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F6-6323-1914-000000007402}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.792{6820D070-20F6-6323-1914-000000007402}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000156828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.367{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.367{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.367{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.366{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.366{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.366{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000156822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.186{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.184{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.184{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.184{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.183{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.183{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.183{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.182{6820D070-20F6-6323-1814-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000156814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:20.119{6820D070-1F1B-6323-E113-000000007402}5728ftp.boloni.ma0::ffff:41.77.117.236;C:\Temp\agent_tesla-deob.exe 23542300x8000000000000000156813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:22.077{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B70DDEBC04D1FF3C8323C54F1219EE,SHA256=858FCB18A4B387C834B169DACF9AD48F57E883860885FEF3A393BC4CD79ED4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:23.818{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042106D9377F7127EE109435C7B0FCEC,SHA256=58012CB0EC7264B0150F79CDEA5C3EB1FAEF0486C4C74D91AB6E9414F41C18F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.987{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F7-6323-1B14-000000007402}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.984{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-20F7-6323-1B14-000000007402}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.982{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.982{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.981{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.981{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.981{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F7-6323-1B14-000000007402}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.979{6820D070-20F7-6323-1B14-000000007402}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.654{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9D4C3D3FD63D8C6C9D15397DDF8A0EF0,SHA256=6F848D518CC725D6FF629A406B2462833321C8171F1B5C17D7413F74AA4E8B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.489{6820D070-20F7-6323-1A14-000000007402}19326728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.318{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-20F7-6323-1A14-000000007402}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.315{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.315{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.315{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.315{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-20F7-6323-1A14-000000007402}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000156843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.315{6820D070-D2EF-6322-0C00-000000007402}8487948C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.315{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-20F7-6323-1A14-000000007402}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000156841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.314{6820D070-20F7-6323-1A14-000000007402}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000156840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:23.313{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A325E1E0F7B2CFEF14775084070D51,SHA256=C883928B9A232EFD3BF2551DF0707FAB3753D8B07EBB86E58B649F3BADBA9F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:24.893{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C622898FE724CA6D53A7CD266437869A,SHA256=1BA33A48564AF726D55A692372165DB98BB57D23605ADCAE2EC1B66D820AB7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:24.402{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5621440BB5B62D227BEC5565FEDEE3C6,SHA256=40769D22E1F872107EDFE3952A79D05F27A8DDB0539AB4B8D8E238BA676C2AA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:24.201{6820D070-20F7-6323-1B14-000000007402}46801284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:25.974{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342D3915BBF6B3FB484B61D86B19B11F,SHA256=C9B5F685042353475FF30E63B3B789AF177403624248F7637DB1EC44C5547238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.600{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.599{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000156883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.512{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAB9EF3CC26A7988DA3800085E9439B,SHA256=9842F0C2857CAC1CBE93308229877293AD81C7E881A0BDD36A556113EFFFEC91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.250{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.243{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.230{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.226{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.220{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.217{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.215{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.208{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.203{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.173{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.157{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.153{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.142{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.135{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.126{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.116{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000156866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.112{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=01DFA1B074939957EA18FA86EF41341A,SHA256=D8123BA9268B0434256F0D24D829AC4B119FE5C416862BB8892948FB00CFCCE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.109{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.098{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.088{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.031{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.029{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 13241300x8000000000000000156896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000156895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0130ea49) 13241300x8000000000000000156894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8fa-0x2f0adbbe) 13241300x8000000000000000156893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c902-0x90cf43be) 13241300x8000000000000000156892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c90a-0xf293abbe) 13241300x8000000000000000156891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000156890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0130ea49) 13241300x8000000000000000156889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c8fa-0x2f0adbbe) 13241300x8000000000000000156888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c902-0x90cf43be) 13241300x8000000000000000156887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 12:56:26.692{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c90a-0xf293abbe) 23542300x8000000000000000156886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:26.615{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2831A89D78DAF407C5A6B97F508FB4E4,SHA256=518A4276E97ACB8019E2E6249CBE378F981B370336FEC66BC811CA67036138BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:25.738{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61724-false10.0.1.12-8000- 23542300x8000000000000000156901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:27.723{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917A318A71971E98B70F4D3FF713AA28,SHA256=ABE06BA46FB9C7A33C9AE4B7147FF7CD9C4A0B35B8402A38AB8698C5122D7607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:27.091{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18619315A2E4D81ACAFAE47DEAF33DAB,SHA256=5BE44C2F430A2800D207E86535C26F4F621C030B6544EEC565E159C469CBA296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:27.610{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:27.609{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:27.604{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:27.602{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000127267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:26.142{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:28.152{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA61913720817F94FFE9342B94A74CD,SHA256=75F267A2734DC31563FD010AEF94DE3D883ED8A5F244D2E1536E84F98C67D264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000156941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.460{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.458{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1CED-6323-9413-000000007402}7476c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.456{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.453{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-187C-6323-0013-000000007402}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.450{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16CD-6323-CC12-000000007402}7964C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.445{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CB12-000000007402}5276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.442{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-16C6-6323-CA12-000000007402}8032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.423{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-14A1-6323-7F12-000000007402}7896C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.400{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-13AC-6323-5E12-000000007402}8156C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.397{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.394{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.374{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.361{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-0F3F-6323-DA0C-000000007402}5256C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.359{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.354{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.351{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.346{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.343{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.343{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.337{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.334{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.319{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.312{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.266{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.262{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.237{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.227{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.182{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.169{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.151{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.141{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.139{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.137{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.130{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.128{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.127{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.122{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.121{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000156903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:28.118{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000127268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:29.194{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E858F63D64BCB30F03AF53B09DA9FD5A,SHA256=E24126859E1CDE91124F257DD218F8E891B03CB73AC910B0F9D246E3282F05E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:29.073{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C9A5FDA7BC99875B96C122AEC04837,SHA256=66261A7D8872E98FDEE99D464E0B84192F63353ED1B60028EB9F96571EA623F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:30.233{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19D29013751B757A797E71CE53B648A,SHA256=632B30A25D418AF385E9A5A8728B178C6B82C2E33C55BF560D37233A85C0904D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:30.155{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801BCF98160E525778D482BDD932CA98,SHA256=20E8CB9CA5E013E96A332BEC8C05C8906BCE1B3B937F25134D8A9C2C223639C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:31.261{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEF91E07FEBA8C2C8A298A7828601F7,SHA256=E179AE2296E9EC6071FE5F36B5DF1DEC632A397ED04A267AD3C61980602032B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:31.331{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0DDA0FC131FA3683DDAA7903AC4F37,SHA256=602D5C33A330328676F905689C749C733B8EFF30330CA65BD97F3FB0886EDA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:31.134{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=577457AA558E14A13D90130BE0A00B32,SHA256=9DC0CBADE986CC46E81B8DFEFCDC786BD7CBF7548CDFE44C78FCFF205EE598CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:32.364{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC5F495CD14988048C75286EAC08309,SHA256=B69589C1C6B33DEF7D9E611573FEE77E41377EC568A1648989032F4E9487BE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:32.413{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\aborted-session-pingMD5=C9DCE80C7E542897CC54209166C03656,SHA256=588A124B504034643505E7402F66D92157DB25EC88CF80B0CB4C358FEA6A9C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:32.382{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34907341C94FB9F578FFFDD9089DD89B,SHA256=FEE063141A5A340183EC726A3E0BC59FEB7EA0B1BEBBC46B92E2E5D700E7AF96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000156948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:31.577{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61725-false10.0.1.12-8000- 23542300x8000000000000000156947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:33.467{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB0DCCE1216B6793B03BCF5DC35B374,SHA256=49DB4421C531283DA7137179A0B5FB9A8CCD8F239A8D84396DE9B1EF22FB08A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:31.180{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal53773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000127273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:33.400{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03444B49A303353FB8345A4C43FD1D44,SHA256=964C1A0F5239211D15DE946F7E2AE2BE4DE23DB4D041D22B064E143BB699A9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:34.418{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85A298A3D67B2A8DDB5C8876FACB608,SHA256=E6CFBE46304229748D946C1823DF10F279A79D5993B2B673864636A9DCBB64C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:34.570{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD96FA074F5E2D45EC4FC53AAD1CB58,SHA256=666922A819701F6EDD825784CF43E903C2A1016D2FC20B9F8223BAD45C5D6C2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:34.363{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 12:56:35.563{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357C24D00785DE558C7624CA52A93DB,SHA256=13906701546E46260EB451263BEDDF7AAD6E1A87420E0BC6DF00BB0AA35A2742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000156950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 12:56:35.575{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D811928725321F97AAB1B7747F439F,SHA256=F369D6A8F65626F56DCAAF1274AAF1EB5CDD4528B188B9F671D50199C0B105B7,IMPHASH=00000000000000000000000000000000falsetrue