23542300x800000000000000038931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:47.484{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3797E52576EC4F0C02A6BCEBA2CA807F,SHA256=3E1D23D7FFCC044AFF82DAC5062C6D68E9F7EC3F703A0A4D063E199D547799D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:45.967{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59520-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:48.577{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E7D361DA202FBC7C6C0998F9FA512,SHA256=24BF423DC2743D6978E0DDDBBEC4643AB1C689046CA262305662854BFB2A9844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:48.433{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-020MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:48.004{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B2BC9D81B95B7C7BEE72B02ECCB9C1,SHA256=C675FDF4D0F8D2EBB5575CA9C27BBF61245F5D0E7A690565659BBDEC3DB21AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:46.686{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49950-false10.0.1.12-8000- 23542300x800000000000000038934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:49.658{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83975160A4599013CC990111985D4A37,SHA256=7E664ABA07381DAF719E1503E14BE3D74FA98D46C69DFEEF2EAF819B8C6B3B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:49.443{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:49.093{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEBE1756F9D459D37FFD8A345A72612,SHA256=238C197F1AF7DFDFF4F9F9B1483849187095A4104F43FFE20C50120721DB3821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:50.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BE94AB0A6FA61A3BE70836DC3857BC,SHA256=2D555A4C89D8260ADAB7354C9EEE0C1409E57D587FFC79B563FF8195D6C384ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:50.198{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AC1567B6B2F60B213949D937797D18,SHA256=F1920437AE8A4A91B436EED7B4C069829DAF41F0B951C0C7117EEE6E81F5134D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:51.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1900EA90A65C9B4283DB9D9017117A2A,SHA256=9DE3784FD38F0476B9F55D0074531259B1FB2CCC21B5AA603747F041F52A5B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:51.300{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5BDD715837D1F5E4C60A0432A2E81E,SHA256=6D961547A0DFE1AA14BE65715ED49C920A1EA0687D0E461BF7F9B477C21A37B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:52.951{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC0E2706A3AF4E1CB24E4CBB1EA2E12,SHA256=601537F8505E7DDA559C0CB1E220E8DA81B5C05433A3BEA1BC7310E471AEBA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:52.404{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D4F42109549A1EDC4CEFC4785CB44D,SHA256=142B2DD509E47959346E96F3582637999A6D3854B9E151EBCA9B6EC07F3513EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:53.713{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A06CF677DFAC51D5D4794BA1504A3D,SHA256=DAB1E993E412ACB5F608F3479F81AA21877CE019E472B90ABD0AFDC4871324C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:51.864{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59521-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:51.720{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49951-false10.0.1.12-8000- 23542300x8000000000000000101625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:54.695{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E357EF043EBABA1215C8075F3F3FB30,SHA256=516941F90CC2E17DF2935BFB674432BC08DCAD4C5CEA1D3796ADBB857F79D698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:54.056{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7B01FC54031BA122C84DD9E1B2799,SHA256=8259D0E403F9F1F7A0351C2E9BB83C42C330B2DE680DC006CD7642A174754575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:55.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11DBDE0A97F934894E6ED2E089FD3A8,SHA256=A781CBDA9205A6679DAD6A66D0454D3CB85EA96D2D0FD7F93235F94F98350DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:55.159{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C4D32BB4057A8F3F5FA0CC7FA84F3,SHA256=9899FA3F09864D73CDA03BB845451CDE51120FF715C7B57DA25CBA788FCD4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:56.887{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45FCF1F0E81FDE4D9720F90641408F4,SHA256=A1EC4EFD575B06E6C97D80D06B90F3AE6992D8425BB1BD50A5A504AAE599D95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:56.285{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34169F27C9701CA1D22854E6F5484AB,SHA256=E3A7DC9588218986D5690143DFED4EEFC191BEB44CEE6A66602AF5460A35DA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.933{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DA338E760D34EAE45FA14B6C24F3734C,SHA256=AED0E878CEDE535A9F9D31E4E6A0E4972711848DAF8FC71CC0D5A6237E98714F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.483{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58F78F22F14185908197317B74BE163,SHA256=356E021046C1695E6E5B48C2A512B47C5BE5FCAACF84F405B9E05F5DE22CBE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:58.575{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDEB71CC15860963FC62A1ED5374BF3,SHA256=86068DF81BC445239026A1AF25DDBABAEA18266C32AB98177DCC56093E66A9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:58.087{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B1A4AADAB43C04FD01BE4D5101E5E6,SHA256=3C1A9C58BCA5BC5D807B077EF27B7159B4D9D073CE250672106C82A0C525C3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:59.674{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60C8962E749834AAA439D67B677CDDA,SHA256=3C711B07027AFA2F2BA994FE7E93A64A036BA6A51F00ECDFA52A8F3EF63E2225,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:57.887{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59522-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:59.173{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD15A47DDAF7BB02DF5D1E4B76BABBB,SHA256=F0B288BB6D74827E2518AE895F7DDE89F01B0AC883650D3F361FC7AEC8D6CC95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.670{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49952-false10.0.1.12-8000- 23542300x800000000000000038947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:00.877{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B124FE3EBADCD8D76F71E8BEB350F9,SHA256=96BE7B7B6C4F7C5ACC73DE72EEBF60623212729347FCC6C622A941761629AEC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.670{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D073BF0A084F8912CBBEB04EA40902ED,SHA256=C0BF0CE0ED483A4E7B5C5C876301DE2DD2E5EBECBF39107D642A749528EA4DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.264{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51D52F583FBC62F34AB1A188D8D01F5,SHA256=A51DAE3362BD26C337C1241ED98A9437889FCD8F0612F25F49B4ECB50EC63488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.333{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794494A51666C2E3DE4DD499D3E08784,SHA256=F1D8FBDE0F23D5D4535A0DB94F3F195A0DBAD184BF202AA2AC5AF8F518F92D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.232{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.179{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.172{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.145{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.118{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.057{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.468{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427ACF41F16964F505966E4CEE4D2456,SHA256=9174267E4C6E63127B407076DE28C6BAE548BD8325AA961E063E67F673A256D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:02.085{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB499AAA7059E692AB136AED74EB47,SHA256=AA16F8A20C1FBE6161CDE4B995E6CC7B468450911C2ABF1FFBE3DED8CC2D51EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.107{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.098{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.068{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1E172C83060EBE99F9835A89A4A6DC94,SHA256=5F075E5DBBE8141A663D851B503AD0C85A22422CB6ED4E14BE42679345A75BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:03.663{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F193071E1BE3778FF926FAF35A85027,SHA256=2A7970F44D732AD225B3D6BC88B4C3BF5AA40CF23C3DC894E7C2A28C4510D941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:03.170{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7B47AB32D22A0CE5B5FF8835FAA50,SHA256=C633857688F607AB2AC5858CF58ECAF5AD0A530157E3B86FD37E93D32E71B05A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.774{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.773{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.767{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.756{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7558CF6EA9C80EBC66A937D084EF933,SHA256=44A2F808062B53DC38D0C6062B049C68796D1C1A5245AC251D31793D0A5B4CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.737{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.708{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.687{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.679{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.676{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.673{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.669{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.668{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.665{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x800000000000000038983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:02.825{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49953-false10.0.1.12-8000- 10341000x800000000000000038982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.655{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.648{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.643{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.636{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.628{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.622{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.620{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.612{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.607{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.603{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.597{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.593{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.589{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.581{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.573{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.571{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.553{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.538{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.496{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.488{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.481{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.463{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.450{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.441{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.423{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.413{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.409{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.406{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.404{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x800000000000000038953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.262{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05A86132F0BD03E7720FC318A8E0A38,SHA256=6F5F0099DA95D292B53E12B83668A4A2758983CFA529E2A0FD454DFDF2F91FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000038984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:05.802{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3DF9CB909C51E550A9DAB22D1FE4A7,SHA256=0FDA10F58515EA21A716E5BA6D3652A9BB76FAC383791EC92CC7C2D8A6B75A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:05.844{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB18094AF4105CD73CD4421D58A94FA,SHA256=4B5AB2C359BB8D0C8E614E4C839CE8DFBA6A01EAB755206C3189726EA4A00449,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:03.836{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59523-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:06.912{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B0C2EBDF6DFC2068280795CBF7C737,SHA256=328297D0998813CC630BD321571D430CCBCD554ABD3D14DCFDA85EBE7396227E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:06.827{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08874939B4F596338FE4C11A78DA4604,SHA256=4AF681B112DE71123AB9D648C0FC4E65C4395CA802E54998BDFB48380DA8F9B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.817{3EE3745C-BE84-63BE-0B00-00000000A802}6322392C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.801{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.823{3EE3745C-BE84-63BE-0D00-00000000A802}7883900C:\Windows\system32\svchost.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.241{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5C97055EFF43F17E799055B02A351E,SHA256=4E6A84AB45C9A7D9C523CDC46B95916054908C4B33E46C7B68E697C612187F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.028{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF1FE8100CC986AEB1BC6AAA942D647,SHA256=52A3987A836838E72D413C3F4602F424F20206B4AA43DAFF3590D78E88D9B553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:09.452{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9F14D9C79C20677535A9C6416CB0F,SHA256=D2E7A626006FCA3B85FFC31BF780ACE3627AE51914817C41228738A02F1EE3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:09.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5CE63A2A48A352A945A43095E88CDF,SHA256=04E19561769D099AE4DFDD64511644AC3D271A48AEBD04E77B8A8C4770FDE740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:09.248{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.840{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49955-false10.0.1.12-8089- 354300x800000000000000038995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.684{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49954-false10.0.1.12-8000- 23542300x800000000000000038994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:10.770{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BDDD516B278C9F1DD040D858B9E5CD,SHA256=D074ED6375C8694EE6424E14E4B9BBDF093538709F24F34BAEB3F996E0936216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.634{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61557- 354300x8000000000000000101699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.633{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61380- 23542300x8000000000000000101698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:10.244{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DD661D54EA15235341B0845FC3BEF4,SHA256=79CAF3610C31AC6CAFBEACD623F8CB3343EFF8BFFE15FF95531593D2EE161C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.982{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29B94C0C3EB397AD9484EEA2F7FE7BF5,SHA256=435CE66B097F701989A1C838368CE14F60B48AA64FA7C11287D3B6C1BC9EF329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.903{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D1488D055482B736305B947550F12B,SHA256=587B02E752C1CC0529865434CF3A2650772DF855AE4CD61F4A6E7AC270264889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.783{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75EC090BC985669A2A43ED93A5729398,SHA256=02817F49162C23FD0A5DC0E38972FD364512FD9F6601BA9D005D0474D57EB377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.929{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59524-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:11.343{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B61C4EF9FA431BEE96F5BE32B41FCBD,SHA256=6C13860E1082E5CC55ACE0B548FADBC4CC8FB46268D2297E3585E246696F2FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.705{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.236{3EE3745C-C3BB-63BE-3501-00000000A802}27203692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.033{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.976{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6390726FA1910866CA83D1BDE81F5062,SHA256=C5706241F8A9F99DBE656420F10F42F841F929E8245129BCCA36DB0304A017C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:12.456{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CBEDB0539BE1B58F7537F870E7C7E2,SHA256=8FDD7DE3A802A85EA9159937F250F1ED36DDECDAE0690578F22520B1ACE62431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.120{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868117D57C57C5D91AC3FE761D6B1C99,SHA256=74C19E6A66EAC7135DB2C20EF3BAB485AB73ECDC098DFCEA0900EA8887640D5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.983{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:13.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943E054A722D4A1627113E8144D378C5,SHA256=E37E9DE79FA013EE239FECEC250DEBE52B3EBF4E0134ECAB3D0BA6875AD16952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:14.652{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BAA122989ADD523D66E2AD10CB967E,SHA256=94029B6A9C07E8DE07D823BBB984CCA245879192005035AFE9C81DEF2B7497C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.837{3EE3745C-C3BE-63BE-3901-00000000A802}920936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.650{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.196{3EE3745C-C3BD-63BE-3801-00000000A802}10121852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.053{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478B4FC874E5797A4DFED1BB4075A850,SHA256=BA788D6E7338ABA781F0848131A278DA99720A56970E699142A6D7DB0933AC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.914{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.751{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3550191F7CC5D95634A03E1A864E89,SHA256=858211958289F5FFACD25E8076B7744D065E3A1EADACB5ED4388DC49A5B50517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.407{3EE3745C-C3BF-63BE-3A01-00000000A802}16361084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.219{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FDF165834C6DDB37BC2E4E4685D58B,SHA256=310BF9A9092DE2A752E232F92B5513CD7D5B186EC8526AC9C155DC5A60789FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.657{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D59B20771958418E1EB6E543C7F4001,SHA256=A1287ECCC122977FE712541F01D8E9C97A2E087BDE8CB11BC04A29FDA7B5E345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:16.858{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4218568EFE6478BB89AEBB6F144BC1CF,SHA256=905038BADDEA1E637A41F8B1E3A2436B3E9D465CD475D732203461CDAE9D4732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:13.986{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59525-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.819{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49956-false10.0.1.12-8000- 23542300x8000000000000000101711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:17.966{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3DE3AF1EDC30676F302A29D98E26CD,SHA256=7280D06A8EE7685EAF2B7BCF143010824B37A14EF8EE2D2D85ED9DC1884DE4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:17.754{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE322CD1670065861EB4B7B1F0C617F9,SHA256=FFFD0B819009ABC896BD0E02CF4E552F213591251D997FC8328B011E53C799F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:17.534{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E30C80F1D8CDE3550B2CE6E9CED639,SHA256=2243533E3B3BBE526C3225060F37FD5B0AE19F3B8A87F6A96AB4748E767B68E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.707{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59526-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:18.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A09DCE3900F34866FE1FD79DAF1FA75,SHA256=B80C8216D302CE67041A586B60D3AD342231142381DA0771083D02FEFACD4962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.939{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:19.827{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FADB6578D963FAC7C853AEFD0683E1,SHA256=95C76D56C196316E563010DE734273A52B766C170EDC8EBD3A3AA67D6837C460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:19.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3737CFC9EDF19D5A60D27EB0F727B89B,SHA256=F53385C77701556C6E7C3E1B957D53B94212EC573272B8927A5B499E291BD96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:20.255{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E2EA4E09CC14BADCCD0D32ACF87DBF,SHA256=BFF851D5C2A6CAF26D5E4BD179E9D13798B1EB308EF6DE830F4FBEF812A7F68C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.890{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.888{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.869{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.859{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.855{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D51C8D90B5558E2B88D15A094A2CE6,SHA256=73DEF97CBB5728E1388F789040EE85DE3C424126006A55980C3349D560BBF347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.301{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000039106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:18.840{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49957-false10.0.1.12-8000- 23542300x800000000000000039105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:21.038{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51DAE39A421C8A1866BC6E190A8D5F,SHA256=4B01EC380F6A38FD1935683067DDD3F9642BA645DAD2697EE3A32D60ABC55E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.275{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.267{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.216{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.199{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.181{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:22.357{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A4B45C2E20D404391943A6210F4D39,SHA256=29393406E024B596E893992DEAFC246B462660D0513090406F61D7EB82531B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:22.131{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF4DB12EA8E9B5B2B2DAA9EE30AFA3C,SHA256=92C0FA606E761EF5F63A9BE40919DE8311141C65CC230C0B4D3892CFB8B939EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:19.972{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59527-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.928{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.927{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.461{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F070E3F8D0AA1EF15D08D3FF93542EF,SHA256=BDE14B867DFCA1BFD7598092BC57268EEECFE2FF49E9FE85647B95D9E23165EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:23.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5166CE5AC6A20F15D6D1D70C1F39BE,SHA256=ABEB3ECA541E20D6F4C06ACB03D72291E937E8E5AB29F862DDC88D11A333C094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.618{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.607{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.586{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.573{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.547{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91B5ABAA233D9606D4F1438697C8FF,SHA256=A14A85F17F603B2B912D82BF29B31DC34538E38B22AEF4664B9707DE2904D543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.497{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.479{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.468{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.466{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.627{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.619{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.614{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.612{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.609{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.605{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.599{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.583{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.580{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.571{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.560{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.556{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.536{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.524{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.489{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.478{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.471{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.459{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.452{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.444{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 23542300x800000000000000039114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.436{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8003E7F789161488F77B94BB63203132,SHA256=309C42E48412A60350304DD3082954933911240A7C59162855C8B9190F3E9ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.434{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.420{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.402{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.395{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x8000000000000000101755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.458{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.451{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.442{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000039139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:25.826{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBBCEA8D7BC43D69EA450AF77C97145,SHA256=CF13CC3FE3D293536E613E736BB536AC3859ADDD9101676E809B0407B9F12E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:25.539{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0FF75ED26DBE3642E9A024F55A6DD4,SHA256=0720CC76E59114135CF0AFE118EF2B9F593225137F8F4EB242624E8A71B8B52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:26.977{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D723A869104D821F74EA1F1CCD36E8A,SHA256=D2324B903852FB154E2F2FDB760C2D4051840814B158770E7B4C48ECEE6F9A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:26.634{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A979CF42C280A1940A415835D4E4C2,SHA256=DB13750A759DE1371D48E517D4AA13F17618F8313F9DD729C157E4F45CF4CE9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.634{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49958-false10.0.1.12-8000- 23542300x8000000000000000101770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:27.747{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6023C764F4A3B14F332486FB824A53D8,SHA256=5DF1A70772693F59254BC0043A3777498E595ABED5A17858F8DADAC7081B46A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:25.911{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59528-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:28.839{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4715FF679E8080700207A04EDCEF63A9,SHA256=3219D0EF1FDC975C1667F1B8300FF9F752EBDDE50FFF2A5E2DCC21EBAA9FB1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:28.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A2B883E7E0DAA54306B3160A5E8245,SHA256=A4BC077896244BB02DF0E9C9DB623EC3C1BE7DBC1CD04C249B0A1F7D1CFB60BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.951{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4DBC3632D8E7FBB5016D6CDBE5948A,SHA256=7E46257478E0BA951162E8B8E99E76E5520377FDE6DD4E430FD44EB0B0FB5846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:29.150{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F047B1D956191BF7C19B6C9E83AF4F,SHA256=8485CB27281AAC2FBA84927E87E67E4539CCBB834C125B878163698096AA09B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.137{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:30.241{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E1558D92D17ECB34113924C2B261EB,SHA256=C9FE2EE77C461409ECDB005FBC8A8F3C088F5476650B3227119434455F4191C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.951{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DC268CEE8992F0019942FA02DD741A,SHA256=4917EFE5485C1B7AB92ACE613B145BA2AC0D4B6D393B73905195AA9B12B08A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.163{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CD8DA6943675BAA7A94884FEFC638E46,SHA256=B8380D7806E4C582EFCEF7F4223C86BF510963235085D47D3A500E1DE7EA36B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:29.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49959-false10.0.1.12-8000- 23542300x800000000000000039145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:31.440{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF0E2EBF9ECD99DDAB25E55534ADC61,SHA256=6ADE2DDBB8ECC1FA36B39369C0B8927CA0D0A5E2530EDAC52458625CA26964DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.622{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.727{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59529-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000101794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.727{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59529-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000101793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.126{7DAC9CB3-C3CE-63BE-9401-00000000A702}50525940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.044{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=13522048C8CA73E0D9CE3991D628615E,SHA256=3D735BA93D7809E31831FEA34D146F2C2786F3A63B059F74044E3FF964DCB303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.028{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A53E81FD3726CE67F1CE0A1366684E,SHA256=83B9204C7E86CE7D32D2602B2C168E791739CDED372669B981733164D48C70FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:32.533{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-021MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:32.513{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9C31F8FB66F077F0328A5CE913C241,SHA256=90B709DC06627720C5B3019360067B1B6D8C6B867B07EA8CD189F6B5533ADF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:32.125{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFB7033ADF9AB230350E822B4A2E45F,SHA256=FA242DA0B278E92861F6C327D7F4AD639112DF63D517BF360DCAC7B6A1AB9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:33.617{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF34A718F5824B442B46EEA1BA21CC68,SHA256=782CE415F7234ED7BB4243EB5F68A24BBE73BF4B09872396F0241C5ACB3541D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:33.539{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.428{7DAC9CB3-C3D1-63BE-9601-00000000A702}3926324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000101814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.917{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59530-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.202{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F60B2EB6DFB7CF679053A2E373A69BD,SHA256=75F8F41A654A342B8BD3A588166BC0F0DAFCB895F46A5819C1C37454798838FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.199{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.196{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.194{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:34.597{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F82E517692A4C82124317499779F03F,SHA256=A15473D3010D894CE6D06C2D7D9EDE57F2E036C7A21674A71A22E9122DE7BFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.943{7DAC9CB3-C3D2-63BE-9801-00000000A702}55924332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.705{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.407{7DAC9CB3-C3D2-63BE-9701-00000000A702}54845944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000101824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.299{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D0413EF19C4602409242A29A1CBF4,SHA256=0AD547E8D0C0C4EF9D1523890D54D745E15397BA6B1CFDBF420AD89C853DE28A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:35.794{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2257A62141FA96727BAE5B00384286B8,SHA256=08E2311352E3EC41E730E601C162355B9296BA109334D46D498A99F82951FD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:35.785{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7033E525B6BF367FA66ADFA851E0CF5,SHA256=F3710F00B64956DCD558AF4EE72FB01BD0F55759D0EFFED42616B2A9BC1D7344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:35.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E372CB42BCB6B459B5BEC2F3F441C68E,SHA256=803D946F47752C476C41994856CEF75EAE9A6E89898A84D52F437EDA3C9F3272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:36.901{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5CBC2E046AC4690ACE2A0534C18DC5,SHA256=64F41ADE6DB5575A88872B9012D56A3988A4A2BC0B2E74E01C3931C02844FF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.654{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1667CD8DFF439ECC49CDA55897E44E,SHA256=7D7E403577AB26DFC4EBFE427464B7D9C4C98F2664D55F3F2D849845A30CBC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:37.606{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5189EEC86EF6462980C07F99E8DDCB9A,SHA256=79233801E93A6AD1490B74B77895317BE3631ABFB17EF75EF041BE721DE16410,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:35.670{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49960-false10.0.1.12-8000- 10341000x8000000000000000101888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.712{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78BA575EFD93436B151B9E6BCE42AB4,SHA256=06CFE7BC1C5DC0AF8C38A9155CCDB6F02D0F9DA6717A6B6B838D64800FACAC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:38.207{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCBF9F2452E431AE037897EB9D9000C,SHA256=873518E5C3AFB8D17CEC4A57B6509C053E943FBB5D023BBDA350BE330A4276F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:39.394{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22088680EFCA16C339154157DB628A16,SHA256=A1D102541C4975829F3A9A3BC4209B28778A9CE4D44886A4375AEBB999FBFC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.999{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59531-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:40.489{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5236F90541186993260436CD7E3D392,SHA256=989A754ABD282EA8D705EA19A4CDB0B28078A181B53485887718BDA53A824D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:40.295{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5125E2E7A56D3812CEF9C16416E44580,SHA256=8731613C78C54CF6A1AEC7EBCAB1E1F0323C1782FC90274CE9673251F35AF81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:41.589{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4354010CE7682E97DA42BFBF74F02CB6,SHA256=970B9B35716B70972F7B3680C79B4A4D352C5B7A2D789F648E49698EAD7E5623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.956{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.955{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.948{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.945{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.933{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000101910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.472{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01598E6816AC5B11A6B9F2A9A41BA642,SHA256=6B16703137639E5605BE5D13047C3EC34D54483DF51CB3AFF03DAAD7335DB268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.304{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.290{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.218{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.213{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.193{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.175{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.145{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.131{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.120{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.110{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000101891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000039160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:42.693{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B55D50323617DBE5D84B5D82B33931,SHA256=9894B0780F8CF5010C67E97081BA7BC488F24D4E0BFB25C01D1CBD00F2844B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:42.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FB120B9F3819E8729155E89AFB4428,SHA256=DEE0EE253E376A645B41E0DDC06011922C21D20F0F6BC937AF825B32A5ECE7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:42.093{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=62F1104304AC813BF51B1413A33662E8,SHA256=F7FA5064EBCE52D9BEE33EC2DCA7E0DF655E49B1D25F1AACBD8D362151FB8FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:41.651{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49961-false10.0.1.12-8000- 23542300x800000000000000039161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:43.890{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DE10C91EB79260E63709F292910174,SHA256=FDBD0BED08D40E372CFF35AD057FA723E69E51C4D7F98BDBE1941752989F3F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.998{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000101919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.643{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925F48CA71E3388597043F3C9526773D,SHA256=DDD1D201AA64F4D7B12BB1D1D74BE2CCE5931517017D6B29A1437EA67EBF3A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.993{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.728{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886EC6D86A18C1ACCAC8755116B6686C,SHA256=842C68FDCC545EF36D60A32B83019E7A464D489D2AA175DF24A88902FE59DCA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:42.848{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59532-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.681{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.677{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.674{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.672{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.670{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.667{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.665{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.662{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.660{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.654{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.646{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.638{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.626{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.611{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.575{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.524{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.514{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.498{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.483{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.468{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.461{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.447{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.419{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.410{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.406{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000101937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.618{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.614{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.598{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.584{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.549{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.531{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.519{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.516{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.511{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.999{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000039192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:45.286{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E80B522A85A39060CF711061E9EB834,SHA256=07F4096264B208FF9FBB7FC6259EDA31DC4327BB35B043F4FC311FA970F5D0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:45.707{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915F3E9DBD8ECBCC17A28E154BBDF088,SHA256=63394C324ABF2DEBB3EC8E06AF117334F9782B252A93AF93C62A1264BAC3AEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:46.814{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DA5458C3C05AF83B28ACC6EB2505C8,SHA256=A1E5291228796984E74C89BC81655C6927BA1FB07049DEE19AF5FE90B804C5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:46.369{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EB7E2600CBB6F3FC18BD5C5F338710,SHA256=0FA7A2832E598DCD7A090A1E3AE2D599F94E642856730259AC538D183F1B2E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:47.467{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85EA3106B9F6AF7E169E6201B3F161,SHA256=AB95751C8869EC7C287A232466D4EDF87DB8106D7B988D5A9C2AE9620F96B6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:47.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E2908A308E17E85B64BF62652DC34E,SHA256=4744469164103DA75540D6E627B20BCE8AD3A494B6D0254F19AE51FAAE3D7052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:48.673{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB367121EF2BB1585D47C3C7526406FB,SHA256=9F68840AA5A00CD5C58B760FD8477C014FAF8F5A69F78205FFE82EE77377D99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:48.997{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC596155B9F516289D13AA87826830CE,SHA256=9333BE06AF23DB9E7982DFD5632BF4CC3F6D6BB7FABD943CFA6845659A57E767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:49.757{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B442D91824015BA210EB676EAA039E,SHA256=4C9AB01F90548156774746C201452F968F4578647194321C2982A42BED55A9D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:46.805{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49962-false10.0.1.12-8000- 23542300x8000000000000000101945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:49.974{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-021MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:50.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2037854931FC5092FE7D891B903C94,SHA256=41EBA4FB233F7B782D49FE5D5E2FE70135C2082EC27ECA89375646764CD58DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:50.979{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:48.855{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59533-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:50.074{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76D52E609ACED02DD66B5479A99FAF,SHA256=9CCC02791C823C5F2EABC99BA8464F208A9707BE22599E83E144C76E42C6D103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:51.960{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C80A1B24A8F3DF76EDB966C18EC7D3,SHA256=0DDE2424EA70BC96AC40EFD42C9E80D1E8C61DEE25886EEF038AB8FB06198EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:51.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1822D2A6B3D6C5CE84BFA86297F255D,SHA256=95C31A7C8353C1F24AD1AED3B2A33DD0B4775534E51523ACC2D4A4C13F76D65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:52.380{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C88DCE6054774B2EA79F31E72A23123,SHA256=67E6E0CC3AAC7EA041D2201A16E936121DA493182C2045F646C6EA3C6526B6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:53.464{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C38170BE6BD35E6D12F64370731AC3,SHA256=DC6C242E11389FAA54561B2E4A1A83456968AE39E877A201A92036028350B3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:53.063{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5148A33F6108EB089E4E1F08965291C,SHA256=F76E20516470C1BEB671A1415BF34FFD6E9E6C15C0536BCEAEF6CFEC47D8581E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:54.668{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3EAEEF4D3861B776DDA9BAA0A1B9DB,SHA256=12931B242959E2F965536538923A2CC28928930479FE653E310DA634EC60BD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:54.261{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEB5AECC2A9C467FD0F377AA5FF563D,SHA256=F6D77F5301C4E68384C88F195BFA287172D81BAE47856958179A7D5BD96E53B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:53.981{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59534-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:55.778{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526DBE7C22F132FF80A2E27E1F4C73F,SHA256=4B53781444AD72267814B322A332BCC5A15FABACEC66AEF61A0D77724DF26884,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:52.667{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49963-false10.0.1.12-8000- 23542300x800000000000000039202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:55.470{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007957B401D2AC4CF0C486566FE4B2EA,SHA256=6FD984095483694328DEAF07CC3500764EBC0DB9557D89B904E883F9AE9C494D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:56.781{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C30DBC2F729B70200B74248F6081DE9,SHA256=D2B84001E398315B034A174D6A21712EB8FFA446BD97C9CF2FEF682F780AC82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:56.873{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933415D58DC952554D9FA2E16F4310C3,SHA256=F51CEAD83C7E1D8B692376E45690526696B05713AD0D0FBCACFA6D462122679F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:57.990{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A01D6BFAD4627FCFBDBAB4737615D6,SHA256=5AF57E3617E3B427C8F4DE2277E58C723856A987424529292AF69443173F7602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:57.940{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EBFAB28FE922F24CF7F42DCEFA6B39D7,SHA256=0BED1B3F2E9D537B90C0DF7AE57DE5342949CB292FF2CF829A6D4582558D4D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:57.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3DD02BA9013BF7A0176434FAE2A09F,SHA256=5B49A0EC2A6290425BDB098E741396DC692C6FB14E2C01697357DA9395DDC7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:59.060{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDBE1CD86A402A2BE810A8F4FDBC18C,SHA256=EC99FB86AD53F84B3603D0C6C9274831F439267FFD16F27046738667D0C2A020,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000039216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001523cd) 13241300x800000000000000039215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0x6cb89372) 13241300x800000000000000039214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c6-0xce7cfb72) 13241300x800000000000000039213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x30416372) 13241300x800000000000000039212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000039211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001523cd) 13241300x800000000000000039210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0x6cb89372) 13241300x800000000000000039209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c6-0xce7cfb72) 13241300x800000000000000039208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x30416372) 23542300x800000000000000039207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:59.077{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109D48664FA8287870279A9B90A28F11,SHA256=CEA4B6AD741C6CC6896594D9E9263884111295B534F36F6577CEBE037112B04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:00.377{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A4B664C731F9BAFEEF1F56765E1AD6,SHA256=CCEEB3D3342B8956D8489CD167D0DF92A7FE19C7E25AD8FA18B55753CA540A96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:58.612{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49964-false10.0.1.12-8000- 23542300x800000000000000039218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:00.280{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17F605ACBA6DDAB7B50B0C278144D42,SHA256=CCAD4B610E8D5539D7A42EA77F2D43FF04BA4EB6B14E545D3207C2926E8173AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.813{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.811{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.790{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.786{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.782{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8274BF55FB897516B3AE521E0FEC6171,SHA256=1A144AB2E99287B15BEA069FDC21C2DFE53CDBC0013E381111B226F76172DC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:01.391{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B210B9EF056E45313FDE813A2B79ED95,SHA256=76CD343D700246CA928951D600392D56BF4418BDC3983D6A5A69D3123FDE6DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.303{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5130E7B6A4DF4411E9C5FD0A6B569F90,SHA256=15447CAF8285BB427A88C8F0D8ED1DB2342EE7A3851C133E7021A4B05724BC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.240{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.179{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.166{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.104{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.080{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.070{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.059{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000101961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:59.060{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59535-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:02.509{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D41F2BBE9E31BD6AC222EB875D9DD7D,SHA256=222D21920FA582B763A6B7DA10B7DEF3307BBB9816D1041DE79FF20B96CBC6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:02.496{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059D18BA1D7B60F1B6E7F955BC0188AB,SHA256=B057074DD259BF4E7E249A54F32F64AFC837A4901D50BC99B86B16BCE0CDF1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:02.083{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=591C8DCA7C63D0D29FD0E2F9ABE4086B,SHA256=13797C67430942033DEE91242686C0CD1956E8646213A83B1C9D2A8A5B6207CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:03.587{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33B0D0F2C73D0160A6C84376BAD2C61,SHA256=CE7B804D158385A03FDEF7A657381D71E91FEC25782A7E65A01D81C0CB066AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.839{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.605{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC1A59AE7DA5E3CB60C940532A3C4E0,SHA256=452A6C140FDCF70691AFC2143615DFEA2EBB710DCC2A1FD5A0AE3098A890B6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.660{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24018D0509A69F03D81088D280E85D55,SHA256=5D67F2EB48531B849EADB1BB0E11F0F39B3DC8980876892BF9C7EE56C48C33CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.606{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.603{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.600{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.597{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.596{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.594{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.592{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.591{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 23542300x8000000000000000102009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.670{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5CFFFFEAE5545C59F0ACF203CE0AB9,SHA256=3B9C09AB854BBAE18E9992F4109A5068B7EFF599B63946AB0F8FFA1CD70BF84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.589{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.585{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.579{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.575{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.572{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.561{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.550{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.545{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.532{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.525{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.506{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.499{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.490{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.478{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.471{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.457{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.446{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.439{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000039225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.433{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.427{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.419{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000102008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.490{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.488{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.485{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.467{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.450{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.409{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.397{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.385{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.378{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.376{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.361{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.358{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.355{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.354{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.351{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000039253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:05.746{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCFA1DCDC29EE81ACD5D27D039BDB24,SHA256=AA02BB252D6F04EC8F2E263CCB7EC1F819754A9B0D78477C70FD4F733A5BE8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:05.760{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD648F8C0E41205A6E3311ABC6E0EF1F,SHA256=41F6BBCE5E6C486349FA35E1E9023022EEE72DC7493552E01B7080D73A8414A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:03.793{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49965-false10.0.1.12-8000- 23542300x800000000000000039254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:06.852{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6C61143675BDBFFDE66778D539C1EC,SHA256=6D0BDAB1B5CEBD355A9F62DEA771B3EDB7C8CC3D3702BBF17573C0C56BB43F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:06.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75BA27F3FE1DF36F7D1029460940C18,SHA256=BB6B07DA88C4200DE7E2AC13C92289D33C1FB873B009C73AFAC4A34672203753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.933{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3071F9BD25BCDB114F1F3007978443,SHA256=3B68F0D687BE95D612CE4CCF5252473CF2437FB7E4593E10E597DF0160BBCD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:07.964{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B05FEA20BD247046EE2F3AD29F40BE3,SHA256=85D19CCFF7C2CC8DCE2D4E3A010923AB04DD121E5045617FA32EEFA78C889D9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.820{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.820{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.820{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.806{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.928{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59536-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:09.282{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:09.030{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8B8F350CDEC7DFB24F3098103A671F,SHA256=8F7CC2BB36AC6DBE3AC8F1F6E8327EB0327253308751D4B720E5A641C09347F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:09.054{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3545063AC467057AF14502E6906ED09D,SHA256=AC472031F1B8F30585526C45077C3F8305666F759E77014BB9F2DB03246F59A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:10.231{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D79379B7083E55667E9B191A43E1B8,SHA256=F0C7C53E95F3FD0A398A0010CF969F54D5BEC27830D2AC8AAC9CE47BA221B053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.267{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE28C608CBB28C448F67A84E0E0573E1,SHA256=AA08DBDC037448D0CE9EB4611D350FDCF39852CFB309360F8FA996AC30454588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:11.363{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3764E4280C14B0885BF8B7302570E790,SHA256=A101DCE941564191370E5AABBA0A51CC4A5C9332E4888D93DE79B22D74730538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.881{3EE3745C-C3F7-63BE-3D01-00000000A802}19041836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.695{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.319{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F95A75F7456A1223E4E8E90115E251,SHA256=0D05CF97DFC1AD38A1B35F81ED2D34EC638E7F23E7E68A8DEDB03BF505D17004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.194{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=643CC189BE95C096951A016E89F1DAD2,SHA256=0F9A0347FFFE86B5B303B62EF34114B9AA9D1A93BB5130E535EC74D07A3A7DE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.100{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.100{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.100{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 354300x800000000000000039277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:08.868{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49966-false10.0.1.12-8089- 10341000x800000000000000039276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:12.581{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974F7F87BA0C08716F1441AF219294E1,SHA256=212B8986CC97898E0136C86ECB9CE8CF9BEA0FD1F3CC745C6C12E6216CAC86A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.416{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7965557C122080B4A6A25DB914334C77,SHA256=4CCDDAF1CC235492DE6F4E655E6C051842605AE2C70583A3C2372A65A043F341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.370{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.072{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54201- 354300x8000000000000000102017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.071{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64349- 23542300x800000000000000039299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.260{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D6277883ED7CE49B24EF811ABDB18A27,SHA256=A78FD61E749EF942E7692BFC19015E7C3CD26C3EB7E8AE911A3364CBC4795E0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:09.663{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49967-false10.0.1.12-8000- 23542300x800000000000000039297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.072{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61B9BB3780B2C5E228FC07811B1B8025,SHA256=01F36CF52E4CDBD84E0E8B25FC18F71A70043EA8F3BD71F92738AA0FC3D86294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:13.673{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FD4195492F307B09EC7DF087BD88E1,SHA256=C046D006844E8FDB07F78A0CA0FD871CB3A0FCE1B6DE7F9B8803ADF5A09B74D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.990{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.378{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E779866486B6BCD60E692F50FF4E847,SHA256=A9FC71FE8A501455F9BBD16CA5ED82415ACDD3D24D02BD0FE09467C6954E805D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:13:13.150{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c6-0xd76354ce) 354300x8000000000000000102020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.945{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59537-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:14.756{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96478E1558425AB72F2267E8403A6775,SHA256=9590DC571F4FC187ACB0FADB0B9568BB27651D35058266F32CABEC19B294C627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.914{3EE3745C-C3FA-63BE-4001-00000000A802}38043164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.665{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.570{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC14E2BBC0C5B85C1FC5EE94B16FC19,SHA256=2D5678AE3D14A3A59E0F809D4450CA0AC555D51E6749E557EB4D61149CD43EF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.241{3EE3745C-C3F9-63BE-3F01-00000000A802}37483392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.965{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC804AF09CE46CA5450307881B2B68E9,SHA256=39A96E7A4107F7336B64416F641880746C029E2985527A418AF7371A598FF8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:15.933{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:15.851{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5432063DC93852F68A113A1A75D526,SHA256=AC5BD454E51B22234F2E91221042ACBAE12DD3FCB12229E23FE8F78CE55FC36B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.526{3EE3745C-C3FB-63BE-4101-00000000A802}29002492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.336{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:16.962{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A633BBCCCC43052848840E58B12173B9,SHA256=639A4072C5CB153CFA52F392AF5F2A866D0341AB31EDC39DE2717BEF25E83CA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.585{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:17.617{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0CC2989AC8FEB7F1EE2088BA81E60B,SHA256=D93EDA4D90B053519975FF9F6724B86C6F6202E78789E3FD4DF5DC076EC84B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:17.294{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD90C6AE22E5FC69BD7B9E045CEBB1EE,SHA256=41C66C1D74570E335459B08A02FD02C0360733AD2F4B5954BB3AF4F5E6080142,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.801{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49968-false10.0.1.12-8000- 354300x8000000000000000102027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:15.726{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59538-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:18.395{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD992F6BBF03578932B330DB6819F56,SHA256=49A74B9FC106D41630A0104935A79668ECE6015D4B309AED69E8E7B6A4804860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:16.028{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59539-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:18.062{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EA0B7F6B63C9209B16A6EED0E05EAC,SHA256=75E918E05B66B41ECDBE6ECE31BFC570782C89B02BF2FFE68438EDCB7C20B7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:19.484{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391687A49C4E41FCF5441D738287F4F4,SHA256=B7D04742C1132518A8359BCBAD5CA0A731292AE59FC5AE70A49075A0D4E71984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:19.270{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1EF20523D166417A37989B4EBD4510,SHA256=465ED2FAFB9A172245C5D14F6F0B0F2DB4C90E2976B4E78443DD656FDF2686DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:20.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:20.987{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:20.376{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF43D5E277955DDA92E31ED4DEEA880,SHA256=8B7A5AFBAA36A69DC6847AB7A13EA608D1036371D00159A70A2F61CEB9F9AA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:20.584{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BF60C9F40730813A364AC398AB43AB,SHA256=84FFF9E935476E1458FAD528CB55262825A965755AA17D14CB86B8EA64517FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:21.685{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26912923E288592161A7317D089B0539,SHA256=5332B66B74D4D6F997590DF1DBFB5A5DF8B8F19A819C6DB4DD6F10EDD2411B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.856{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.854{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.850{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.848{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.840{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.836{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.450{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DA95AF4E0B7BF4C3319C303739F80E,SHA256=A818D4E65690C7C951C224C7BD39A9A5EF560A696AA15EB0B57E8AAB645D6609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.229{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.217{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.211{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.206{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.204{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.153{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.147{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.140{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.106{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.067{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.052{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.042{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:22.880{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FF04E5B8FBD1FF167CC9810FB36410,SHA256=EA08345351CB01E644AF58B61A4013DBF649D0014AF8901F3A77EF23A9D3ADF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:22.713{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E1BFED853E28E19E1459FBF8D05FCB,SHA256=3E8445237378192E3105F9EACD342E0952D6918644BCC8BA38E96BB3A7F47C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.889{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.886{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.823{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8028C3D1EB2EFE63E5EB3CBC5B46E954,SHA256=0D1D7AD319EAC30DB1154AC5E73BA563DFFCAC3BAA58FF00177D768490B716F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:20.814{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49969-false10.0.1.12-8000- 354300x8000000000000000102060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.906{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59540-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.908{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E904BE7C63A84084EE57478B1CEBE022,SHA256=6ABA65E623B6553FF1CF9B6DC91132A0FC203728C723931EDF562695C2CAD0B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.657{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.654{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.652{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.648{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.647{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.645{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.644{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.640{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.628{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.616{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.612{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.608{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.595{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.586{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.582{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.553{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.541{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.503{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.493{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.479{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.464{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.454{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.448{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.439{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.429{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.420{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.409{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.404{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000039381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.095{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB70FF2CEDC10A4BE7C71A0922618CC6,SHA256=71FDC55628F3741B0FD448F930869669117ACCA894EB1FA0BD39315EDB46140C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.538{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.534{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.498{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.432{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.414{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.411{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.407{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.403{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.396{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:25.483{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365953B17704F0B292DDB2946466C9B3,SHA256=B2327AD2455EEF42CDC8D382A5C457F6DFC77057F092D6AA74973435C5A7B5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:26.580{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D760F78D64A6370E869B36B34680D3B2,SHA256=760CCDE1814AF58037ACEC98356459E437AACAE5FF8778C67A9DC147FC41BB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:26.011{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380B1A6DB0051E6F37FF08829472F11D,SHA256=0BF13F0FD2D4979920EDE138774270093E649361CB83BE9CBC93E9D5A838DA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:27.691{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F7F4BF3730730657EB94EF23079136,SHA256=77AB1203D282ECD41A100DA816E4434C09BE4218410B1D06FABA7BD35A244612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:27.104{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371B6069E4CF3678B956FAB8337B929E,SHA256=A68658E97D4E03E408A81938A3BF7F03CFC46769C79140B8AABEC55056B3C9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:28.797{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F605F017061BE2C82908B5FDDC33140,SHA256=233516C0406F2E3F48AFD2C631710D9B76C00F312DE401696C662D74728F1802,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:26.995{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59541-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:28.314{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E9A04BFF27FE9E057DC5A601775F5C,SHA256=E87F23E95CED3E779E58BC29E866CDECF50678D2C395068A10AB23B3EA012285,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:26.723{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49970-false10.0.1.12-8000- 23542300x800000000000000039416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:29.861{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402A83D0DA393CE7C3BA964DCEF3FF6C,SHA256=810D4B8BCCE532DB9D15360BCA9E912D6A5E8D06241F70A7D0DFB25A089EE009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.444{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C14283C25A5525FCF3EF340ACF3988D,SHA256=752D8EEE7B3570AF525449614AD0D09252308D45A35EDF080BF3FB6F55C0FF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.944{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D6E7BFE31F62DC680B2C2D9D1907C7,SHA256=C5AEDB4F8CE82A9C9103F3CBBCB88D154F5A9C85AE5304BFFA75996BE32DB8E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:13:30.415{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c6-0xe1adc786) 23542300x8000000000000000102094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.302{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4E688DDEC821F1CB2B8ADF6ECA6A36,SHA256=111EA6066C916A1ABE65D6438DDE04D6DF64DE22756794871573F6D03D87C14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.002{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D36B6A33346D3072AAE512FF71184E20,SHA256=59F0A2D069E62EF15AC0A9E696688750DA4FF5541C623232E6C91A34F20A45B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.728{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59542-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000102121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.728{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59542-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000102120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.761{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.620{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFCC24B4BC7D8A6594155399FCC764D,SHA256=7BFE2F0BC9FD7004C1A12A6E9CAE2353E4E58D4F89E5BB341A5F8DB28B04C51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:31.067{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B08C2189CE99BA25F11F2CC08D7E8,SHA256=318BA5BBE9FEFF501508B9A4E359CE3A9954C769E598B0B99CEF405C9E60056C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.417{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AEC36E336C740F25574E3AA70E0863F3,SHA256=85ED95AF6127CC6C8B3103F04EE7FF25FC594795D14E937E2AD298AEA334D10A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.260{7DAC9CB3-C40A-63BE-9B01-00000000A702}24284212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.035{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.035{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.035{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000102123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:32.703{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C448F3EE25BA941F5CCDEBD01A95B7B,SHA256=AE5B70CB2631EA8E815CB3F494F33836CEFC282BF65AEA4C4DE51A64B45BE297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:32.275{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CD3E98339BA5BE33A13B4366BF603A,SHA256=58E89448399F6EFE66C1B5A418B6C21E446F50215474059C779B22318ECDB318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.822{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9013290B73883D9AE40FC2A2D85D63,SHA256=001909EA88C67A2F5766743A9CEF2D03299D9B39BBE411EAB910AA9A7F096025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:33.576{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7FEA0BEA080FB50493639C88B7FBD9,SHA256=B6240E11D70D364D071D0DD23CDA48B3BE595456064B32D35895FFD2A3495B6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.431{7DAC9CB3-C40D-63BE-9D01-00000000A702}604624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.905{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12495E9B69FA6911EA13C196C94A6838,SHA256=8F72F8DC9A0E71FA48FA225C5455E77255D76E74AC7970E63C23EF3A5F861D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:32.988{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59543-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:32.705{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49971-false10.0.1.12-8000- 23542300x800000000000000039422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:34.679{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9991EEB13CF116A3744EAF29D41324A4,SHA256=71C49DC0D8CD65488843FA6EA120D55A2F4F1ADD1B99263790AAD6D408992154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.452{7DAC9CB3-C40E-63BE-9E01-00000000A702}25201016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:34.056{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-022MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6214DE1262E103394A7216BF20F6E566,SHA256=9DA60A9C0F134980B4B0807D1F93080701F5EB3214AE7B0F5FE24DD312A7C9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.891{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF52F09AD58A9409C164E57070F42507,SHA256=7D509FD5296A8C8DD61BAFFCC4BC2302F6F0ED4A699627BA2AEBFC3FFBE3A12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:35.779{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D97967748946B41D902E9902A90FA25,SHA256=E8285398D963ABE34329A03591FB0FD965074A49980D9F8EDC858B088A26CC08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.085{7DAC9CB3-C40E-63BE-9F01-00000000A702}56685468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000039424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:35.066{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:36.875{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD1953F9859A307B8B0907D6FD10145,SHA256=6C2B86284DA70BB3A979E0A8532997C34FC7B0E97B57D92DB0CE4EF8AE5AC29F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC40AA93F3E4D600D8353C33F405667,SHA256=9D643E2688920922FF382EF331469D4F2720DA0AD95C0B4CB60931B1B1DD36F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:38.086{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F28C31CABB680093989C945FB8CB9,SHA256=A256BE621B265A5AD7B9840E8D50F9AECB95142945E4A48995ECFE5BB0C2B465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:38.085{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91ABC7F5EE5F5660C1FF8CA0D063EA4,SHA256=91BEBA75D280FCC1AF7A35976B85C52E803C512E95D8EA4DB76E9DCE4DB2B733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:39.169{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90196F6D0EB8BDEE4FF5779EC68E1F2B,SHA256=9D072129BFFB38906EE5DE521DC672246AD530816978A07474AC1193BA99DFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:39.206{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586324233AC013297C2018EDEB981688,SHA256=906ED8AD5921B3C3270F1800ECA879EC5A0A4EAC424EBB53F976EFF24216D4E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:38.626{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49972-false10.0.1.12-8000- 23542300x800000000000000039429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:40.468{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435A803EB5B10466935F2765EEF38F14,SHA256=135389868DC3E02045BCD51108E7FF33C858E07DA98979E4282E9697E05EB8E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:38.937{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59544-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:40.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B415AAE147560146A6E7DA77B26786A2,SHA256=EEC203A688999B33D56681194B2A9F106C1FE4F91420046FECDEAE0C180D719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:41.557{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EAD6C2A9AF8465079A52A0A34A3D9E,SHA256=DEE3C05281A966E552C1E150AA1E7FDA8EFA63E1489862AEA086CAB336E3094E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.949{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.948{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.943{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.940{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.934{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.932{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.928{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.417{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20DC963443CDFBB7435CAC281906E9,SHA256=488A3420EF753C4AFFC8D46D0A1066259E75BFBE07378071F963FE6B9920E296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.395{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.379{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.367{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.359{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.356{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.348{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.293{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.266{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.243{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.209{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.161{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.139{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:40.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x800000000000000039433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:42.867{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08906BA0AA53B4201F402751FB6700F6,SHA256=38E8A40D4211BD2268876BE8DCF2608A8A1B18B708BA680C488DC87A3A77C29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:42.472{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C364FAC3364DFB8B6767C99667982CCF,SHA256=09B9BE8506E18BBCF151C270270169287FFFA62CDFFAFF4AE47B11FF196EBEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:42.364{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BBB1F5CFD52EED50D06E3F29912CDA6E,SHA256=779DC937899838349E4C61369CD9BDC880E0175585D4C3228695FECC1518C378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:43.958{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8393189FC4D00D17709D3B29BC9FF7,SHA256=985304793F349BD55E9B9FFAF186E63CA5C13B37777F6BED673BCD77C84D3B7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.571{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB940B8B3C332196813AF2ABDAE11A,SHA256=9CBC4B932605E1925AE6B6D1BF2485BFADFA094B7C1561F0544B9A3DDB936CE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.992{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.654{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FCA90C0078DEC65EEE225D41A3F84E,SHA256=87FD77229C67ACA789643DC8130EDAEB014BA2D6D2CAAC3AD58408E5EE13765F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.597{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.595{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.579{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000039463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.705{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.701{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.698{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.695{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.693{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.689{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.688{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.686{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.684{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.678{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.666{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.661{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.658{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.649{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.639{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.636{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.589{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.541{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.526{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.517{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.503{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.491{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.484{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.470{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.452{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.421{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.417{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.568{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.536{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.529{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.520{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.515{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.510{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.507{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.504{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.502{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.500{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:45.435{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238D77E69878880AC120AF673C41395A,SHA256=65758EA89B52812FA7F13ED191A03CA7ABC775589105468D7CE2E2F083AEE204,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.034{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59545-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.736{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C30E4512098FB707A2E5D02F92F7080,SHA256=4344241DAE90FF4272E5B61BAF873E18D92AA331C30CB122F0AC90D50EE7B259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.378{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=7D694A7696897B959203E9E5857B916A,SHA256=8715A9A3AABA9A6D0969E8E05BB219F797982C20556601877FBD277328D80879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.004{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:46.845{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A005FAD9FE61DFB8233E06EA0D35D18,SHA256=AE8186D3BFB2F04D4FDEF9C4655E5A954A6CF1BF20DFB57A27A4B1CF242225B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:46.567{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AB3465BCE1BB45511F414EA24C4294,SHA256=D939919DFEE887E7D97818B6839D4487ACECE316AC110F34E047DDC5C4D09ABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:43.780{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49973-false10.0.1.12-8000- 23542300x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:47.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0C3A4C861A75F43798BF0CD5F0D70E,SHA256=D3CE5E421DCBF705365F28CDCE625ECCBAC174107BE85B85E342505D314D0F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:47.665{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C62A993D3F6B21A1812AE9B8EE2B9AE,SHA256=52EF67A7857CB71150D43B5218C8573A6DBDA5BC5A81D29BDC90B7D05FCEEC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:48.770{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EF8063483B30B20CE12D4FA88B6EE6,SHA256=4D086156B96C07FAEE2738EAE618F2BD1A006BE8382A3EBDCFBFC65C3BB0C7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:49.861{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514FB203F2D68967FBEEAF5F3124C282,SHA256=F1DF9327A40D8CE841B887E12CC010E7499A0C03CED6A90FDB36117B43288FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:49.066{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5387DB01E17AF4031B86B23A5E86C78,SHA256=E76A79985F748A90FF83A6242A772B15D2293B02985AE794E8F089F6BCB09934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:50.161{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6A43B1782FC64561ACD0E5BB713EAC,SHA256=695E69F0937FB572155CB83E80E0B577ABC3A56C57D4F5316A8542F310154B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:49.667{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49974-false10.0.1.12-8000- 23542300x800000000000000039470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:51.174{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BAFA9216F4C066271CB031E6605566,SHA256=0E9C97C25156784C21516E46F7095BAD70A82217F4C378FEB8268820973E571A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:51.507{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-022MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:51.254{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78D4D517BAF0D09AEC9681328C66187,SHA256=53DDAB0B1AB95C93701BE36D84DAFD27AAF498E8DAC28A68944D7C3F38A8B1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:52.263{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD7C77C317EAADD4768F2207E75F203,SHA256=1FCC1E51CB238EB0055D305C2CA7619D67F430B24168D62493B559F80D0A5E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:52.512{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:52.383{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141345MD5=71F241199BA49F1DDBC08543F21EB65F,SHA256=57C573660E98B93E859497F7F296ED22832C08F1D5F174F6047ACF28398F98A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:52.352{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E3FA3F492D86BCC0E90C898E6DA398,SHA256=50C27095EB186601215C738A3B8A669FD85C78FA0ACE7D542D81685BCBA15D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:49.956{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59546-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:53.367{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03C9810476DB7E9EB6871178AF1E0C9,SHA256=8FE1B2C943189CA9FD86F796EDE0508E395951C250B1B676BA41E3787874CF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:53.456{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A40D445F27FB37C34CBF92C95D4838,SHA256=C7E24E8AAB9E4804778326B73D1177DE22F475597A996BFB448B290AA0BD5BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:54.466{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB252F1E71B55B179D769CAD6A57BB4,SHA256=C3D962A6960E9367FEA069E4C34C7ED2455C35799AC7726FA96CF622511B41A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:54.544{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E5C228DD21C81D599D22FCF98F36CD,SHA256=AD9549976C0894483FFEC26F7AEE6D5A07ED05DFC8D215820C7675F5BF56A220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:55.567{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1204728B52DC87527D8C6868794B9C3,SHA256=B113BD972430729EAEE5A1A3444391FD0987ED69D9C551D10A6F4A201F8EF9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:55.649{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC20AEDF4CB1E1896BA37860685BE67,SHA256=1F8756279C0FD12B594C65092E9EB47514C16FCDD61131B0670CFBBFD9D6978D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:56.950{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141345MD5=4EBD3DC66CBC7FA14171CD13DD4ADD2D,SHA256=D4DEF05F896BADA80B1E9D6DED7A44C7CD46242223146B131AA73D3BB94F805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:56.950{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=42DCCA41001E3FC5CA7AA2EE97204F72,SHA256=8AC1449776815B6EB07805E3088B63CE1F8E038B0507FB5BD3B7F0A880FBA462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:56.744{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA06325E600E8AE0379D9ECD1B257B2F,SHA256=9E198D17AABDE73BFEBD6CFCC4E9B9B64F9A7B17088262079DA12548FC87C061,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:54.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49975-false10.0.1.12-8000- 23542300x800000000000000039476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:56.648{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB97354B6E490A80D9163F3810428622,SHA256=520BADF6F4DA27A55A64991824323E3BC3E523CD6BCCFB9E1872F7A7543EF334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:57.839{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1153A994F9931D6C8A2D11890ECBCD0D,SHA256=9B5464CAD7A98085E60586786E93954F7AF3880C517D6848E9748894C3D2E7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:57.950{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5D0B8901CCB81754DBB4C8C6F2F7BBC9,SHA256=DFB785F98F3C32654A7630DE8FC2BB7CC239FC389B954632B6B7F849113E1838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:57.745{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD4C4F588698A303FF60A3857B09781,SHA256=5B92C8669DD20050E939C10B7B2C5336087F7C147FD9E8F85CD393A1DE5EB33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:58.841{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8234A3E2001887D364854A5D66AF75,SHA256=DA500439A576E90151F3DBC571D321E7DAF57B786CD83148A486BD97D3D4723D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:55.840{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59547-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:59.934{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BAB080C1DA895BFC6BE924C8FBC3B2,SHA256=071B18223D8D84EC37B78CFD188EFFE057728BD84D00B0DEDEB371BC60A2DE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:59.046{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF929B256D86DC62D9C1816DA79D4885,SHA256=9B19E19E71BEA3E6F69BA7234125574D3F9F0AFEEA4E7E4E254D54001D02576E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.992{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A56DCBBD1976CA8AA60F03766A76C2E,SHA256=434327BAA49B6E16F1C424B0248FF3FB4ED43CB9BA0D5F0455612D6712AE1006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.783{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.781{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.772{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.768{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.756{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.544{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F63C9F1218939AE93F87824F7DE55EC9,SHA256=4E87DA455E8A980081D8A89619E9C41B0CA630E51DF451C3914F000B4B90CC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A5444794F2AF335F5269A41AAA7E8C,SHA256=562D6C4FAF78EC96680D8626A01A691B92FF42A642411FF732C792EB90AA96B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.211{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.203{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.201{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.164{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000039482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:01.040{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42089D05A41E5EAB87CEE7107CA6D057,SHA256=C1133BC6AD23FE45CC74F9428717819AAEAB75351DDFC299CECE5C9112830EF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.148{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.104{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.065{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.042{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:02.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5F9E1CEC75E0F883B2D9BD20749B58,SHA256=1687CC6432AF33BB8EA2AB6ACD4861B5C179225F7622FE4975F24026075EB9C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:00.624{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49976-false10.0.1.12-8000- 23542300x800000000000000039483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:02.145{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F50CD05FC7BF3A5C2CD7F14AD8DDE3,SHA256=3ACE651040B8BAF8FACD34B6C175EBD514D65FD38FBCC221F52BC2D634B508CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:02.096{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1183FA93B325FA8883FFDB1C522E44AC,SHA256=3E53411F2606F6F6B3D80DC3BFA2DCEFD349B103D905E8F7138D58F4357F97A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:03.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96CAB795E14A5A4BB482CB957FB4238,SHA256=931FF4565D57B5599C5D5C5B43C1623874288F33A0766ED2E7111B401062A96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.802{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.801{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.379{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5614159DCEF03AEE9CAAC15692D9E776,SHA256=B87FC28EA97E8E0FBF4E141A4D8984ABF1A181A35E1CCEE8A48574C6716BB095,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.977{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59548-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.539{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.534{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.506{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.483{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.415{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.391{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.370{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.354{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D7C6D62A1E6CA46A820EC0D7627A2E,SHA256=5621EA99CBAC2B030838AA8D3EA6E4FB39D48FA2EA1EAC3E8EC43137CA4CE5CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.351{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.347{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.331{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.326{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.319{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000039515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.855{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.852{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.850{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.848{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.847{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.844{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.844{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.842{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.838{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.830{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.821{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.814{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.812{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.803{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.787{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.782{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.753{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.742{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.660{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.635{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.598{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.564{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x800000000000000039493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.540{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8408B59469112403949CBD310160663E,SHA256=3CFFCEA0B0A04E630A9F202E6CFCBFB4CA64536674F478CE040F9647F276D76D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.528{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.496{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.470{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.446{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.426{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.422{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.419{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:05.442{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78544298C8EA1029A0C1531DA9D2D321,SHA256=E7474CEA4707D51EDAB5A5DEA7F33BCED06E60E50828DD1D8CC7F490E9A3BB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:05.505{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8BC1558874549EBC0C813E6560DFB5,SHA256=8847AE96D0E111949502A895BA525257E61E68B3FCCF72C364137193C6454CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:06.563{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B74223D8AE5A3328C912AE1A01AEB5,SHA256=3A098B8C9C16322F985E419BC42EE6DC647935088640E9DDBED8E05E1A43810D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:06.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6205D1CFDA67A66D3E966D2728A68429,SHA256=DC8B50CB9819F355D4BF37244065347202394E5859EF0B57801D0C2FC54027BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:07.666{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD54C660C51EBE675867E24CAB6A78,SHA256=3B3889B47D6C83BC28BB723E469C3E4A9566AF5B3A0334970EC8A0B104755296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.826{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.818{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7898DC21CBA04878AF8EC557191D4BE7,SHA256=501A8625CC9AAEAC6158DFA77CF6683EC2EEDC03F1CADD5896746037E8A4D7C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.811{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:06.009{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59549-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:05.851{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49977-false10.0.1.12-8000- 23542300x800000000000000039524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:08.894{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47B8981EC7C6587F213163E7B1BD162,SHA256=B4BDAFA3281CD3C1F8304B91DBDF2191E21BDB156DE7F62D300B6B23532F6219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:08.767{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24385DDDFC4634454F0AC2C500364B52,SHA256=66F45040053D2941C4918FF12F6EEBAF362A5E40D2FD4FF29D65829F0EAA7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:09.856{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008861B32F647E37006BBAD8FC9F4323,SHA256=43FBF96541F80C0CDBFB42D117416829255870CD60C59FE8049A8D055414E3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:09.305{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:10.961{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034FED3B20B1F7874FCABCB8031D5983,SHA256=556E8A37E45DBE3B2F84EE41166C546D6EA0A85474E9096CA96E70DFE2AB7F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:08.889{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49978-false10.0.1.12-8089- 23542300x800000000000000039526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:10.110{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C041A8AFF8946A4C6213E318756FD6B0,SHA256=F4BFA8AEC6B87547C199EDE0F0BD6979E6D6DA0FBB8710DA2427E7109276E595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.944{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=04A5FF9403E1AF59A9E556ED47A991A6,SHA256=30A619B20F61E1AB2F0E6585D973F527C87805291B4D639575C38FF2BE2FBE26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.543{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.323{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFA558FA461ABDABD2C325C50244950,SHA256=F24BF22EA3D23C29966D405E04A673B46AB9CC871318EE7C9A70060F1FA52C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.276{3EE3745C-C433-63BE-4301-00000000A802}35323816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:12.147{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219FBAFCDAAD09BACC344EFF1EE813E1,SHA256=17ABB4B803FAC77361266EC371FD7655321DEDF1A44F2DA54FFCB86649F15915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.515{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4EAA4706B8A7D80F4B66B960F43984B8,SHA256=943049239484EB9FCBAB48F6C58C60AC194AB3CD6EF943C2168F5AF71BDE35AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.327{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B74BE6417F67BFADF4DAE59063C19F,SHA256=7924F4054176C3D1BDDF8E6AD3183953A9B4B2A6163D4D6AE9F7DC129F158D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.093{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=905FC363F9032BB13F40AEC057424B64,SHA256=310CF02A5196E3BAE6CE1D7735E126C7F7C7A0CD90B9CED00B3836ED20E34A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.047{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:11.940{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59550-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:13.246{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825202F7730F67D3BA306E5EF95F786C,SHA256=5A82192FBABEA89751BD58BC92A96BC53D46D3AE8DA36D7A89406EF915AC56B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.661{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49979-false10.0.1.12-8000- 23542300x800000000000000039573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:13.403{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474FFD697B19ECFE9C8753D5E8948755,SHA256=C0D22E11612E4909D20C6A0E6BCC2BB3E1DDCE54A2B2BE6EC034FFCAA317D741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:14.584{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:14.349{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86477C39E75EF71202F327CECAD3368F,SHA256=90E247122134CC330501A0A3C32D2782B98DF91A68607AD39DE3723721B39AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.836{3EE3745C-C436-63BE-4701-00000000A802}3868356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.572{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.507{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861B82FB615E19E43D06C50C94BC8A49,SHA256=443A0AFC00EE5C749EFD470B9065304C04C087461B3E83F94C1AC280B333B98F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.195{3EE3745C-C436-63BE-4601-00000000A802}37603840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.005{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.789{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DD5F619AAD1E768680EADD7C67559A,SHA256=5C36C9358C88EE9D4E355AF840D151D82A17E87CE498BCB6431E576B8D18FC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:15.963{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:15.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA950C838F7CB287210A1998979E19DC,SHA256=1C428E4E5DA9F08F4685A03F954D2C16A3830E047CEF4BF89C0CBC3A9EDA0D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.380{3EE3745C-C437-63BE-4801-00000000A802}8363944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.178{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.920{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170396E0D442E42DC16A4180C75861CB,SHA256=C7567F1DCDE7503354DB2422BEB27B1D4169ED815599D5F1AFD9CFB5B2BD1376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:16.528{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B990C85A3C842CFEB26160BFBEA37A6E,SHA256=672594DB2F7D5A9A6E9994CDF87100D80D6B85DD8E0051DAF74768E119924609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:17.619{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC44571EC2D0C9646A056600E2A867C,SHA256=B84153B1CA351271183F56000DF43E20EFCF4DE75A93B387AF34D3476E9D7885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:15.756{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59551-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:17.746{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=440EDFE29E0D698CD2EA06573144A750,SHA256=73EE1AB2EAE87D57EF554796E979E01309B0802D3A8CC94E5FA114FC47F0C30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:18.605{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B822987ED38C3D3D4F8EAB88AABC5D1,SHA256=AA105A47B6341B4C8E8F53DE6EBD19287B08455EE22D14125E95C928305AE1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.720{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49980-false10.0.1.12-8000- 23542300x800000000000000039634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:18.034{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25605C387A5679E91A72D67A8C378AB,SHA256=943F69EF01FEA1811327E73F7237CD5206F854F44B47B40A61F4BC0D18CB6224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:19.693{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802BFA2AB9A3D397DE25B54913FD028,SHA256=10393282964BB5320484D599D7FDF473AC9128C259626205AEAE8B55471534EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:19.232{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771AE4B29AC0AC40AEE4DB8670AE6EDE,SHA256=294631465CB8037EB5D95F9FF21E494B509ACCA181A9F148CC0587F66F5A56EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:17.819{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59552-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.885{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B28CA3AF001B6317794EA09E8316AE1,SHA256=073BB3011212E4AE8679BECCE9EB9EBE1C21BD3D8B4A9DAF2468CAE97CCBCF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:20.319{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8406AB9CC9079AF1A0ED8E73DB74482,SHA256=4B5B4CBAE04BE3B5BEBCE60EF56846A83AC8D3585EFC063410EAA29FAC4E3BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.407{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=FC8E57C63BE7CA1ABB5D69CA0FDDCFE0,SHA256=ED2943E51A6707A3408E4F170929395D5A66C0DD2A617CEB1191D186F3D33166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.298{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:21.517{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE66D76EF7A91D7525F87EBD735AB210,SHA256=A17F6DC9BC4F32187B5509FD11CBD4BCCDFFF6DCCB24410A7B375F781A21B2A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.365{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.327{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.320{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.277{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.196{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.174{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.166{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.147{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.123{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:22.713{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BE02123A611873B37596E2CB7DEC13,SHA256=7E23F9BCA68DCBB9D9E4B18E8FD6AF451CA49DAB96362743AD3ACFA9DCDC5904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.103{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.103{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.097{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.094{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.077{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.007{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D36ADA3931E5E9B6141609E42173779,SHA256=EA2FF400CDD1648BAF2C26B6E26CFC907127F3C05EFB48CD8AB019ECC77550C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:23.816{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4399E223CCA8E22E185E02AF6F87CF0B,SHA256=9F184C9CEECF748DBEAA7B4FD6E5C82ED59444D887CCDE81678A6A821A3194BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:23.965{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=334F7890BDD51FCA46ECBADE0F9E7CC0,SHA256=32E83DF532BC0FAE8503B7E7C90265AC83096AC38F6DE17988A267BFA97F47F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:23.104{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CF1DA00AFBC8EBDEC333A917CABE2E,SHA256=D7F3CD005FC2BF8A694B6954495F86E3BDCB4AA6A3B4E996C72CBED8959DE008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.929{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59553-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.791{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.788{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.761{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.745{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.715{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.698{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.679{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.661{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.661{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.657{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.653{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.649{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.648{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.645{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.191{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0330AF6C0BCC6DF9F6C641B09A6C4580,SHA256=CD839143396FE0F7DB03DF3EF6EDCD1CFC20C2CDB116756662FA9B4711968B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000039669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.606{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.601{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.599{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.595{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.593{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.590{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.589{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.587{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.582{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.575{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.557{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.553{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.551{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.542{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.534{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.532{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.515{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.503{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.476{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.468{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.459{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.450{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.441{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.433{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.424{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.417{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.408{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.401{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.395{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:25.177{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F72F5B573FEDB1F8D2E8E07517F7B,SHA256=96A12DE115AA294E798F6D4359B954CE8DE8C80B9DEBB18D1DB20A971EF4C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:25.317{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5F9AAE3D2132666B32EF4A6D1B0CD,SHA256=FF68F73E404A797066C0752DC7B506B39DD0E20DDC48D2F23FDD2970E0B69105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:26.269{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08315691B3ABD2F2C0C7B81B0A6D12C4,SHA256=C2E9C02093118C893CA9E2747C9B91B85CEFECD2B583CFC2950A825DFC43C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:26.421{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4067D231DA5B95AFE383C7FCF2857051,SHA256=AE2458441633963148C4584F37D0CCC55DC8D9445B608F6F0919739BD4EE8DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:22.712{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49981-false10.0.1.12-8000- 23542300x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:27.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DDE114C00FD476A2B2A94201375B7,SHA256=FFE172252E8994F31164E649FE40D103D0702CD797DC2AF7EDDD6D7B64BDCB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:27.510{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C368785A55E388647EA1030AD74215C,SHA256=78BB1DC29B5FBC3F8F9343C4234F81844CFA995E1DB63194D72CFC5F9294D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:28.602{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838F842FE22C70E785CC4EAE4296E100,SHA256=14F1389554858F959BA28FC85282203916C17191DF003D3C50A935DD5DA43A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:28.480{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A501FB3DDE96A3EB020D4DEABB02C39,SHA256=F83F57FC758F60D08CB18434082EFE879F4705201A5853E759154F76FCA58BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:29.801{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC848B2D85925D1418172CF133E36587,SHA256=F0505F1BD7C81B3F7CDBF668E2298CE23E2BBA92FF40336CFADE1CA4480B321B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:28.041{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59554-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E2C90347E0273F0EAC94487936933,SHA256=F8939018E542141940E9B33E52E45901B9B3D8F2928427A259D5D9EFFDAC7C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.322{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=92601087B2DD40D67C5F382EC54B192D,SHA256=321CDF51A8E27A4FD42E8B700644E8D94224A5DD7F1B9D04B458896BD440A7D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.155{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.967{7DAC9CB3-C446-63BE-A201-00000000A702}28844308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.796{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.670{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF2D935F5FD068F79ADFBB6C876A546F,SHA256=52C26A10AB30B8EBCBFBAEB2E22FB1B2698956547EBA3E31FA90BCB4B73934DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.670{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18E3C7228B0E23F029D0459A4AC489C,SHA256=62F36E9E1C210B3436F9CA00742A2F6622349F657C7BA2507937EFBE4A322482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.201{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0204B72E0EC5734652AFCA94F9D94C9,SHA256=E786F5A88E8E3D7A95D79DD59D87F8B4B369536F34C3F91BD9710E065792C7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEE55E065DA087FEB3F32CA236986DE,SHA256=DE1F8A9D2FE256382F47BF10647634ED9933CDF866A37E1F9998D3036AB58522,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:28.657{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49982-false10.0.1.12-8000- 23542300x800000000000000039676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:31.005{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29AD2CAD33C9076C4C0A2BF69A93050,SHA256=082B8FFA1CFD48D57CDE8D1B4523B581F16468863E4D77C508451A6D4C02F31C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.476{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:32.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADC46341D3CD599AEE687B168626232,SHA256=4E1D5E3121DBCD190632824EFCAF55EAB427377488D93CB04FF1DBEEB8715FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:32.093{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454408994CE70CE4776A8BA45EA7D55E,SHA256=FBE74CA50ED1343564FF10021F67ED813D9F43045E42647831A63F249E2A6E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59555-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.741{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59555-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 23542300x800000000000000039679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:33.196{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4DC316BB74765F1D334A9CCBDB1583,SHA256=C6101328F7D54ABBA1C4CCBE990C0BC1363E73BC91EFC6AE2963BFBA939F9E56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.481{7DAC9CB3-C449-63BE-A401-00000000A702}69806572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.339{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.339{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.216{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.212{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:34.296{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC960B8EEEBB441F29A81F5EA666E0B5,SHA256=537B389C10C648FA5BCE7400312E07ECFAF041CB0A91C95A4F238644592F29C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.859{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.418{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141420MD5=A7A8591770D1E7947AFD20661385A67A,SHA256=C6AE17AEA8C7CE3A07315BB9D82036EEE1FB4E1DEFB02E1D15CC325C92B45E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.390{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.389{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.389{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.389{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.388{7DAC9CB3-C44A-63BE-A501-00000000A702}66646668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.187{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.090{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6588665C351844A2701F322ECDD91BE,SHA256=7309B7BA88290E24F6595589D10A11108581FB2CD01EB1C75547C3A6AA33402A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:33.863{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49983-false10.0.1.12-8000- 23542300x800000000000000039682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:35.586{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-023MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:35.393{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E651749FC83737C48BB636157DEE8387,SHA256=89E8DB4C6FC79BB78912C709962FBC7F593E96289B3CAB1562AFE769280A317C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:35.904{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96D1B1FCE905B9CFFCE4D3699F26BC91,SHA256=606DA36E77CE4D4895E5546BF9C2C75F20FF874FB0866EF04B9FB709E08FE7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.012{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59556-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:35.176{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB34B8F6491CCD422491724D309904ED,SHA256=1EBE28286F9D09FB8964C6B1F3B6E2633FE01D1E014AFA34E8EF955099BA254B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:35.096{7DAC9CB3-C44A-63BE-A601-00000000A702}34083792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:36.593{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE73E9D7A03695501A7C2F868247EBAF,SHA256=AF8B4CF807C663353185383D1A495DF0BE4AF5FBA1AC8E45C535B122DC14185B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:36.584{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.366{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98ED30D7F12E3AE604D6082443EA015A,SHA256=AB373B8AFA805D9847887F41DC280F2BDC98F6171C0622F41DE87C562C25A877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:37.688{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C57B02D970E690BD6DC8F18EDD57E9,SHA256=D2E5A8AD019A1EE20EADF898341F14CA08D02A16932BBCE50D6F0803A85E7565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:37.459{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB88DF97C903DBC55E560CB49E6D8F24,SHA256=9807A882061812004059351EFFA85EF154A5D40BBD8F258AF4B807D58EE00E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:38.786{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B3F853EB908C3187DAC594B70A5453,SHA256=76CE746E5F37D2C6649AA5F354C3F441DC896D3C51376E8A852C342C5E5E4A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:38.551{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3931132C51BE421517D42699E87AE096,SHA256=71376A36C6B141FF7A762F981A1F65241FF98449DBC3072EBE613D0701407F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:39.886{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE97A95AE1AF8F3C8576D55871B697F,SHA256=938ABCF28FBDC8418BE0AC87E6D0395AF3DA48C2BAF1937B37978B264DA1727F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.644{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A74EDE1C1BE2F9DE88EB6D0B63749,SHA256=F69508BCD633FC8C716E2C4FFE3F9DBC8AFEEF7F748AEF5471EEF35FEF430AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.238{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141420MD5=F70250679FF7648CFE8FB2B4B1EF0C77,SHA256=32017BF17DE9F582E72AB851F09A4777154E7796689844EB17D08B41A076CCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.238{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=4EBD3DC66CBC7FA14171CD13DD4ADD2D,SHA256=D4DEF05F896BADA80B1E9D6DED7A44C7CD46242223146B131AA73D3BB94F805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:40.985{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136A576DE6737DE4FD7DBFC0AAD72AC3,SHA256=8247D1FCEA5131156225E44F6E228BB037A058DBBC994B9FB27AF348C0636D43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:40.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:40.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 13241300x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0016aa3f) 13241300x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0xa9a23902) 13241300x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0x0b66a102) 13241300x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x6d2b0902) 13241300x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0016aa3f) 13241300x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0xa9a23902) 13241300x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0x0b66a102) 13241300x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x6d2b0902) 23542300x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:40.748{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C491C7FA7A82FCB0F231065A43D6D650,SHA256=84AAD6CB937B026FABA9C702556156B8C51D2ED42A2EF6E4E87F0F6DFA507A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.777{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.775{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.765{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.762{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.751{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.745{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.213{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.206{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.202{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.200{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.157{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.142{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.080{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.064{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.053{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:42.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398883BC40E1057CBED7CCF38361D669,SHA256=64BA50BEE88A5F05D63C1E8098E35EAF79146667EA0C8C219B293D143D412976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:42.660{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0FDB7BB742DC5BEF83E580D140AB5089,SHA256=EFF576552D65DBA6C8331885BAD8DFE53B34AD02936E0337969B883D9A83B2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:42.174{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5518A979B740F91A4955350FFA89E5,SHA256=5536962A5D7131435F2836791E4BC5EBA2D8D2ED913FB99F65F621590C022EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:42.089{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D9EF22D79A3AE6138D143835864965,SHA256=C853D58C11EE29E804597DD6545B67C51701A66B74990BEE484A754DB9D0A809,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.899{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59557-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:39.799{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49984-false10.0.1.12-8000- 23542300x8000000000000000102514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.962{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3BACDDB402644752F8C04E58E1D19,SHA256=8D90BB9029549EC46298B4F26EF01451975162503DF41A2F687D7D34AFE7BAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:43.276{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067FCC6807D3F69FF8428EBC8C20D361,SHA256=6E3F301C1A19B0737B95DB0B783A13ABAFE69C8B8F9F4955BB2C71871C412A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.800{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.798{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x800000000000000039723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.675{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.671{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.669{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.666{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.665{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.662{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.661{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.658{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.656{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.652{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.645{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.637{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.629{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.618{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.615{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.594{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.580{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 23542300x800000000000000039705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.572{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C524984214A60A9C553730786401A5EA,SHA256=FE3442055E9E7181B96CFAD1B1AC25BB8C1CB3887FE12ACF2CF1A7E0BEF3B5E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.519{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.506{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.494{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.483{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.473{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.465{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.415{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.413{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.390{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.361{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.352{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.336{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.328{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.321{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.318{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.314{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x800000000000000039698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.453{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.440{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.426{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.416{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.414{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 23542300x800000000000000039724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:45.545{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA25B8DFD1B432921F37EB7D6F40C28,SHA256=2562B3C0E04FA97D0B22757DC5368E68F213F73F08B97BA5C367BF857DD110BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.051{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7746F71588CB4EED9085CC95F01246C9,SHA256=8CAB8BA16FDDB81FF1EA29848DEA56628420A029A2C681C57DE78D65638BF32F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.024{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.024{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.024{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.008{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:46.654{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B593B3EFC4C2B49AB273C8022D2E71,SHA256=22A11D19216F335E08713718BEF14A03D66843BD48F4A4DB8586064716D082EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:46.025{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAE1CE7D2C6C76DFE43F8A9E60050AF,SHA256=B35B30F5173EFADC18D435C596B068CE3333621742943B5966CBAA959EB03F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:47.755{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6316A2315A567D251F09D17B7D055A,SHA256=96C7685DB30E574830BF13B7DACADB10E497D5C87C758F8ED2674FB9C06A36C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.007{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59558-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:47.119{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D78EAD444F10EC75076EF92735C125,SHA256=B5A287E1CBE5FFC345AD07AEFC848DE737BDD44DB9BD3249FAE477201DBF704B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:48.849{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE49C98C1A58F6995E9D1A08B3B5586,SHA256=3215C4A06E79AE2C277EDBDB383700196479346FFAA079112D28B00060396BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:48.309{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBFF08631C67ADD53B58B5BAAB534A0,SHA256=C02529847BD4A0038DCBC3CD764D16689826D97F938CD755873700229583D097,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:45.673{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49985-false10.0.1.12-8000- 23542300x8000000000000000102538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:49.400{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75B9F280084CCC01CFBB83762D26A1D,SHA256=75ECCC6D78707365F671CCB009CB8D3C7DB4FE731251AD190B4E1BE4C30A04E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:50.599{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188B4DBE88882A5CB3DB9805008D278A,SHA256=FD30FCAC6969576E16E48C594FE7CE04E92F0D6D38C87371F919D0D96A27975A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:50.066{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66557438EDF94C21F8E5BA51CC5EC568,SHA256=8E8B6D3C13FE87618F0F9632D9ED00280D638F0BE9F4375AF54916B4115482FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:51.702{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A842D38670E3CA5718B6A20D485148A,SHA256=4EC1B452F4DFAEF9A6AAEBC44EAD8B0362BCCE99F98AD0C609EE4C2322D33E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:51.156{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE376DD6DCF75686511E74A2A3F55540,SHA256=7CACB1BB1F12606CA35459FC6FEFEBFB72856DC49498825F39F391E8E6E44FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:52.917{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F6E2C7078849603CCEBDEA5EBF6ADE,SHA256=DCE315225BF5859635B8C12BE7217901DE384AC813EF13DA16AF85384D8EB83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:52.232{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2369941E13F3D10E3EC7AF2BBEE6926,SHA256=E53EC03997868A95C53C3F9BEAB4F60E0BE6F4966DA806FA479B353E6CF91287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:53.325{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8206B78E2B5E3B1AEFF260DB210EFF2E,SHA256=C6227A6F8D4ED70432C562D52B000FF720CDA21A9E613CC1E2182C46C470491F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:51.642{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49986-false10.0.1.12-8000- 354300x8000000000000000102543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:51.020{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59559-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:53.046{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-023MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:54.409{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732370B0AD9B721449C705FCC7A851E4,SHA256=2576DD70958C75F555B835B9853221EC518D083D5BBFC0E0BA1304D4FCC78D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:54.044{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:54.011{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3B3C20BAADBEB7484EAAE0C8A01E14,SHA256=0D18E09BF6EF3F4F66D579FAEC3C1B166102B04FA6809DC2B4C3EE1B819A0FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:55.503{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F19AEDF189242C38AC793AA1644F1,SHA256=E43E7585E0EAB2D5318C24E4A316D00DCAC68E5DC706A25A14F946B823FD25E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:55.116{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE20C6534E4482BC80FE0F6C76C87DE8,SHA256=1C2987F2A1AB3ECBB47C56A952AF0D1E895C08B6E15C003061EDE2C3BF9D1274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:56.716{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2823E836C1003DE4DEC16B52106E4453,SHA256=83A897D749983F99A5F32BF37D32E0F4B550B613AAC5C3EF74D24FA4D661130D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:56.218{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2428A41B65045B8A30EEC85C7E5299,SHA256=6449A95A849F86A5D3DCCEE82C1947127B8283553B7D4D11B9537AD58F1EE89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:57.966{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D04BE00182DB951F4EB9C959969A9684,SHA256=E34BEE65FBCB40C545DBFB77C277014B7615593B82A3348148A828DC5FA97DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:57.808{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A857524A7851A156F80C23C7B6DED509,SHA256=C3FB3A4A8DFDBA59F822B1E717FE917A9EC0000C7AD9B7F39DC1633667B606A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:57.320{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E7BF55D48A61C467A25E054392022C,SHA256=E6FE5B5A4E92FE8216B9E4CBC654A3C16104E1018A5D2341D4612B87DB821191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:58.904{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6C695ACDCD6CB2C75BBD8C92B7E43A,SHA256=9809AD36BFE49879AF813DBEB08FC6EBA4B26E1F1315A0DD4F41DA6E9504664E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:56.974{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59560-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:58.420{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF9B9588C5823D94313676C6B68884B,SHA256=178DC75B89FDF3496B8F8039D127B83C3C121E25639849AA437AA96040EF202D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:56.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49987-false10.0.1.12-8000- 23542300x8000000000000000102551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:59.523{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8BD90BD8615AA63E45552DA4D19016,SHA256=B6AD6D69A040444B583DD94892376D72EEBCBF6956F23E2E491A88B8CFE3C0A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.989{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.987{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000102553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.882{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB6C45BA1DD794E42878C279F034B081,SHA256=400FFDA5DDF664D6DF31A97B24C51A46C37B3C758ABF17DDF416CCE11F21FF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.616{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B11677F6811F8BCB1925EF2FE7ACC6,SHA256=EB9790EFAA06F43A81FDCE219E8E5A36E75CA3C875E44EBB3C1D3C029487D776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:00.112{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E3D12F2E1EA2FD01CAB371700E5F92,SHA256=1A6504F798B732A5394C9709A803816E39E6FBBAEB43546E2A85C3EB82602EAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.836{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.834{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.829{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.826{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.819{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.816{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.811{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000102573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.761{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FB10C8BFC0F17EA2A5E432D77713B5,SHA256=EB2AEFB187FA98F850B7E0D08A8DEB34775E7C198A523B4CD3BF5E63158FFF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:01.318{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48486BD9B84F0E0CD29C8A6824FA053,SHA256=E229BF238E7046305E8ED1C7D35B67F2A7B85885ADD7EEFBD62B91E4EDC757DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.237{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.205{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.203{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.159{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.137{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.122{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.108{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.097{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.068{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.054{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.046{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000102582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:02.858{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57D3EFE2A3F372DDCFCDFCADF29AB08,SHA256=EF6B64C041B4E868DCE3DC7D8EFAD0843C964FEC516F9BE0AEA03D857940AFF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:00.218{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49988-false169.254.169.254-80http 23542300x800000000000000039743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:02.410{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2A8781F778B98776914BB8CE14AD23,SHA256=2498B2DCC6F77FE5FA3F7494E4DE8C18F1094FD6C023C9C3EE2B1A5E575B8A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:02.112{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2D7818BB8725E8573939117B5D213B23,SHA256=1F0A74D9FBCE1D4FDE8D6AE8A68FF48CE6153D1FA93EC0EF4397AC8B7697D07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.942{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FEE24C4736BC963205E7501E2EE3B9,SHA256=0054DD54887447886B5C6EF708A54AF453AA2CFFE3D0115F044397664CEF130F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.875{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.874{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000039746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:01.840{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49989-false10.0.1.12-8000- 23542300x800000000000000039745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:03.502{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3517B8AE44B4039A6DCCBEE41703A9,SHA256=F02C604B861AFD7C9C2613E131EB69260907D23D2473B2CA530B14B53CFDA016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.698{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.693{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.687{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.683{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.681{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.677{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.674{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.673{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.669{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.659{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.648{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.639{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.617{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.600{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.595{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000039760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.581{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0A1841E2860FE1F409E4403B5A4B3D,SHA256=B1413ED43D8D9E7508DE22405A782E74B9795ED3CF0FE75EFBDE91BFB063D008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.574{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.560{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 354300x8000000000000000102601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:02.983{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59561-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.510{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.508{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.492{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.472{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.424{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.416{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.404{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.397{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.394{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.390{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.387{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.386{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.383{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.525{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.518{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.503{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.484{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.467{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.446{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.432{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.425{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.418{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.413{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.412{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000039777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:05.652{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2750A2F8E895927C98857BF3C9004A87,SHA256=497877427FFE8171C355B204540FC4345357F1C87BF6FF936769B75038B11539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:05.144{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F1DF77DCE039F813A09A9302F2C3C,SHA256=761926201466FAE72113CCB2AEECB1313C59DADF56CBF2707525C899EBAC0951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:06.747{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D0363814371A405BF1DCB8EB85555C,SHA256=CB0198906E4487D9106736467FE84D5758FE0EEB0A545367115C68916C28EDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.547{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6EDDB5EF8133E717646B6AF1DFCB72,SHA256=E65DFF9D2E826C5A89CC38D3EF7C099515837B25604F9DE17223E348090F3E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.012{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.012{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.012{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.837{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B73E018022DE62296FDFDD902C0BF19,SHA256=9668F2E6E26A5D29AD5A884D1CA37FC8AFCDE849F19D9E7565D85D985CCBF434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.826{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.812{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AE3F7E2695B27AFEF769954AC7BCA5,SHA256=625F1852F90C067F96B69583A46A3611F91002B957C2C1F85A8D4C8C89ED1DB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.173{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.173{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.173{7DAC9CB3-BE89-63BE-1300-00000000A702}9321556C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:08.927{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E881A8CF7BC03209CB5EBDB4F99F954,SHA256=650D4EAAAC98E0A01946A32FA22E61FF8EF4F778A55DE763729207042B7DCCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:06.854{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49990-false10.0.1.12-8000- 23542300x8000000000000000102642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A89FDFCD19253D5068F7AFCC31307689,SHA256=A2C2B66BBA8FB2E7483BD6D380005D2027880095AF06B4CF965D2B92D05CAFF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.925{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.925{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.660{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885105DDDC3CFFE0ADA6B3A01052B5E5,SHA256=60C5FF2689FCC2BDB41DC4ECE67DF3FD253063B6AB144FD0CBF0277FADA07A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:09.758{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B2124F571CC6B1FA2F9400BF4C12DA,SHA256=AC020C5BA9B99D41372AF767DDFA08A9F958AEA375711F12A433175E67721397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:09.336{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.837{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4160979C171726F1B7B9B7B9AABC92B9,SHA256=BA03277C67DC0FC3AEC20792DDA2FF432243E8828CB951268D79CA5698FE05D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:08.917{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49991-false10.0.1.12-8089- 23542300x800000000000000039787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:10.026{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95904C3729D915D548CE6EFBE517F27E,SHA256=54865F933141766E84730A25E834770A70066A5ED50BF058C0037066C2078460,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.958{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59562-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.290{7DAC9CB3-BF8E-63BE-A600-00000000A702}45804820C:\Windows\System32\taskhostw.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.290{7DAC9CB3-BF8E-63BE-A600-00000000A702}45804820C:\Windows\System32\taskhostw.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.275{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.275{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.275{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.244{7DAC9CB3-BE89-63BE-1600-00000000A702}13001396C:\Windows\System32\svchost.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.244{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.244{7DAC9CB3-C46E-63BE-A901-00000000A702}62565520C:\Windows\system32\conhost.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.212{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23447124C:\Windows\system32\csrss.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+1f85b4|C:\Windows\System32\windows.storage.dll+63ffa|C:\Windows\System32\windows.storage.dll+63d52|C:\Windows\System32\SHELL32.dll+a13e9|C:\Windows\System32\SHELL32.dll+9ff96|C:\Windows\System32\SHELL32.dll+92739|C:\Windows\System32\SHELL32.dll+536be|C:\Windows\System32\SHELL32.dll+170400|C:\Windows\System32\SHELL32.dll+17c11c|C:\Windows\System32\SHELL32.dll+19eb3c|C:\Windows\System32\SHELL32.dll+17c2b6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000102644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.198{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000039824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.990{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6047DA9C7B6F1D0E8E858799681E22A9,SHA256=ED368141AB9A976165CE175CC8E2FC272323C8FAFF02FACD3DDF9281FBFAC937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.973{3EE3745C-C46F-63BE-4B01-00000000A802}4122776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.828{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.828{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.828{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.827{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.827{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.827{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 23542300x800000000000000039816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.772{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDACBE7C87E9C8E5A85902CA6395AAAD,SHA256=DA31DE7A82B79DA4DB7D585721684C3B061E08414D7FCAAA983645E0E178BC6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.631{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.144{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B47EA2BD1B2D7D58C8956E4D032E1B,SHA256=C4E5ADA9450C0644D172DF824836C86CDECC9BCA4173CD9369ABD9D1F238D046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.278{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4B9D747D9436CAFB9080AA5D04DC44,SHA256=74BE85204DFAF7489DD4ED42E51BDB2FF54F229D7DF8A461DDE94D343195A4F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.018{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x800000000000000039801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.051{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.459{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.239{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB6A2D74A178747B92ABA81217A770B,SHA256=FC25F3614887C491AA4FB02D5455B01170EFDC38BCDA676E7E26F6CE07FD7587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.192{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87DE85201534B5E5F35F8B40471BA26F,SHA256=148D55990899279C650531B894A9ACB0BC326333FF27D3B73E056327E403A036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.247{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.247{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.247{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x8000000000000000102680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B95DD7926BDC9512BC8EDD0B04C36D6,SHA256=B3AEA8C82413B4DC5195A88897251CE872F3141148F65F4AA5130FF1180EA230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:13.344{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066712347901227D8AD8FD7D3621AAB,SHA256=7BBB7BB41011138F90E503E54A42813FC55F96EDD2A785FFDFC64F5C4DC10AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:13.099{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D0062EEBA4056A0B5729E0DB8CDB69,SHA256=D347A77D898E36A532F5B6D039C5E65CFF9FAFF66DD9A4F48F6F3C111A40B98E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.966{3EE3745C-C472-63BE-4E01-00000000A802}7161872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.753{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49992-false10.0.1.12-8000- 10341000x800000000000000039874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.688{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.436{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4FB219B97E94C4467BE693BB60370,SHA256=74A66D7D3DE73F75D38AD510A284AAB90D65A8E02A4FB25AE9D2B5F170D025A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:14.185{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAAFA5B9EC23AA4A874C3053911893B,SHA256=27D69F561D19FC2144F1FDE039E2088DC035FE11F1D2CC065688EE13A9D24DD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.313{3EE3745C-C472-63BE-4D01-00000000A802}1848436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.028{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44023631CD6C2AE39BE46C183F9283,SHA256=7B00699F00D88525A1F46E4B98501F893791C9F71A853C3E15E0C6286230F020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.479{3EE3745C-C473-63BE-4F01-00000000A802}3882024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:15.994{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:15.289{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6500A0C1503A4302978094524B4DCAF5,SHA256=CFC14A7BDB6AA0368E14A03683EA5F44FC3FE6392D1393F2EBE8B81F02A84F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:14.859{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59563-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:16.394{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372A4C820243521010746F7F4550B89C,SHA256=04CD599467C4804B71AF886D49E663518BEB9A8E231BE3BC9ADBFC905D9C6726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.740{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA318C2B0CE5AC663184E8BD27A58D7F,SHA256=F535C88F08158F705BEBCC259B96A3B46C4BE2CAA9339A5BB6C647475C8DA805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.585{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:17.844{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08EC08A0BAF2D3D95E78361E885949E,SHA256=4BA014AC1EF86BD3E320E644C164D50DF75932B6CB97A08AA51E7E5577F5A59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:15.787{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59564-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000102693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:17.495{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B57D4FC3B9D2122F847A46942670A4F,SHA256=EE663408677F8EFEA93645312C19A9BF07E7B4D73704AEA755B83FFA3A7471AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:17.637{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54A27ABA1BD74164E7DC9734D244275,SHA256=910551866B0ECF30D5A5793A86A4E2C00E4C348814733C16A2DEBC82DB258A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:18.944{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADC2ECFCD04864FACF6F79E9C27102A,SHA256=F46D25822C29E258ED1B5378A0D7834619FE47F3133A5E63C5D3DE9C47FA92F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:18.593{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB99EE900D792FBA120029466BECF81,SHA256=BA31789A52772E3368196C6051103486D77EB8E73145BF267AF8A89F82C0EED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.922{7DAC9CB3-BE89-63BE-1600-00000000A702}13001396C:\Windows\System32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.907{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.907{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.907{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23445656C:\Windows\system32\csrss.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.891{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.891{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:17.913{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59565-false169.254.169.254-80http 23542300x8000000000000000102696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.688{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1CD6BB6A071D05C660EFCA63A922F8,SHA256=2EB5021923A534B0A6D6877FC8C466B34A035F9292A14F765A6C30E886AC129A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B7F48D8E178C714634420CA05D6B7B1,SHA256=0FF71C12BCA433E74C3F8ACC5365ECF305E95638681EEBE4C2F4C2AF3E7AF485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.888{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6347B144480D0AA772B1D22994AF97,SHA256=93FDC93625EAD2F4C61FC5EF8DE96E93ECBC41800A737E7462E3AC4AB7BB0244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.413{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000102710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.412{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000102709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.401{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.401{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 354300x800000000000000039910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:18.651{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49993-false10.0.1.12-8000- 23542300x800000000000000039909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:20.046{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB15C7C484F72C18377A94560409EA98,SHA256=FEDB83C5AC517E715E2B305C7C5476EFC5DA22773F86C084E864A44ADB3733AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:21.253{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E01B5CAB8F9D5F0D3276B966EDC0DED,SHA256=763887960E824274869945ABF8125E2FE17E199AC390881AF730126163A9BC50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.780{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.778{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.771{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.769{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.760{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.751{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.746{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 354300x8000000000000000102736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.986{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59566-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000102735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:21.560{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c7-0x23ed1c31) 10341000x8000000000000000102734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.252{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.239{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.225{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.185{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.177{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000102726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.177{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000102725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.123{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.092{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.082{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.069{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.007{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x800000000000000039912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:22.456{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D6F34A7158DFA44C1EF88E8DDAB8AC,SHA256=65715A17722736A5708ADA5B4AE31CB24521734A7AFD63CF66DC98B3FE466C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.410{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9EE20AF595A3B609042B945E2200AA,SHA256=8ED2188767990DDDD327C2CCBD1517690997C7CC75AF72C4ED67E631AA824635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.315{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.315{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.315{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:23.556{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05BEA5C495FB105545C9D738E251A14,SHA256=016F67F2371DB00A501331E3609DF03969073163DA3A0B64BFF691E051573FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.801{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.359{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A786E030B14383FBFDE8D7600B39DAB,SHA256=ACB763DC1D36B8101682B65E829CBC6CC83C375F75D893D9211E5B4D9D9A3D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.638{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF6E6B7572871CCB1D18598DA58CB57,SHA256=EE0CBF0CA88F729D0594E59FBC3423FEE3C853A47CC77910B92F81EC18450EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.629{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.627{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.624{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.623{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.620{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.618{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.617{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.615{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.610{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.597{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 11241100x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.736{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.736{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FB4E82D58E003A3A7CF7036A41C0B9C7,SHA256=2EA38CF1A1908556D337EA86049A22464139A69ABEE1929E600998A88D0B1FFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.716{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.716{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.715{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.714{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.711{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.711{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.708{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.707{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.707{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.705{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.697{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.693{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.693{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.689{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.667{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.667{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637AD3486D15BDA6CA7FFF1312457C8,SHA256=CCC69E02715C83C7FA7982A613633A3465113179F81502ADF10BB062945912A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.635{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.559{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.424{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.396{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x800000000000000039931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.592{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.589{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.579{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.568{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.561{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.539{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.524{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.491{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.484{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.474{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.461{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.453{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.446{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.436{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.426{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.414{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.405{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.402{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 11241100x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.357{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2023-01-11 13:50:15.890 10341000x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.357{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.357{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSYSMON TRACE.etl2023-01-11 13:50:15.890 12241200x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:24.357{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.354{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:24.354{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=621389924778B719199FD3108552F19AF37A0B4417429B0825E107AB5CD94B0E 13241300x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local2023-01-11 14:15:24.276C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=621389924778B719199FD3108552F19AF37A0B4417429B0825E107AB5CD94B0E 13241300x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.257{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-C46E-63BE-A901-00000000A702}62565520C:\Windows\system32\conhost.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23442368C:\Windows\system32\csrss.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-C46E-63BE-A801-00000000A702}57965536C:\Windows\system32\cmd.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.134{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000039944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:25.739{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEA58C074EC98CB9FAE73B9505A8A0C,SHA256=9012E2659C015EAFC9FC371DD83A0214187BAECBB94188C9AC284AE2F9BD12E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:25.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:25.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FB84EE3CC59E202D168FF175078507,SHA256=DC92B3E4CFD3A1650CFE1D48ADD190E219133F272506F703106632CFC56B1DE7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:25.320{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:25.320{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000039946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:26.957{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CD80CDD3678AAA6D1A0824B90CE7C7,SHA256=056436DD187B4ECF09F2BE08605D77EB80A0F6BE879A07FCF0603D21045BBF18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:26.659{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:26.659{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493D216B3001391054351C9F89585FF9,SHA256=91621429B07FA1AC41C0090869615284A183BDA52B4E3C9B2AB32D658E7C0EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:23.722{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49994-false10.0.1.12-8000- 11241100x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:27.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:27.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B860568ADAAEE33FF34EEF77D9B920,SHA256=2B492640C56161E5AA9B3B9929B1D72BC7E555F57283E84DA353C221A2489E5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:25.903{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59567-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:27.647{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:15:27.647 11241100x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:28.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:28.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4E88AB182170E5ACCC650600230D04,SHA256=D51440CA722268A3D0DF7FC9B95E8B661C13D4924C47D95DEF9C0669C9CD07B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:28.271{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C4C33F9E3F3A2A2732D5BDBA7CCAAD,SHA256=F45E583A6F975FE4161B36922B0779BBF332F54C98F830189956774D61B75CCF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:29.940{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:29.940{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000039948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:29.375{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D970E17E9DE5403196B8591DBA61E81,SHA256=718D799BE65D5761D17EED5CAF23726B03A846D7F022632D7FE2029E78EA7605,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.546{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.546{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.546{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.156{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:30.476{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF939EE2D033BE8FAA1F974380D3576E,SHA256=B07998BCB7DA10DAE36035DAFB965F071CB828FD2C5F9E1FD8CF8985118B6FEC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.845{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.812{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.811{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.811{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.810{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.810{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.809{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.809{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.809{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.808{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.808{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.808{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.807{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.807{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.807{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.806{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.806{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.805{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.805{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.804{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.804{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.803{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.803{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.316{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.316{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726223AE1A0B41AB5A62B08834E845D2,SHA256=F64E9B57B1A11522BB88B6B87485F69DCF66C8DE23042584A4EA78AFDADB221B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.080{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.080{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615DD91A62713AAE8D5593C6FB903E8A,SHA256=C6D6BD8A8E1DAFCEB4FF826416F088A90583ABB106D5CA1CAE2B667DA1B15381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:31.570{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16972A01117324DF7C343D0864D25F4,SHA256=A49312494FE81AC68C9B22440F715E8A8E0D078982FAD71D7E7AC1C30CBA6B4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285F164CE0CF082CC8838962D7660BC8,SHA256=80C441BD475471EC37E71768AF8F856A1D279480F00DE1754BB7B0ADA9B1520C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.913{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.913{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.913{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F03EF6988971F0950F6E4CB6CA5B9B9D,SHA256=E66AED0F116277857C6735A998ACE4823670AF0FC021998BD5389A4D3D93E9E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.840{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.677{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.677{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.677{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 734700x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DA1BD45C238DF9FA4087CCBE0483BB,SHA256=EDE80D468FC348459BEF40CEE9E90C7435B608E32BC95D204F72465CC4D671C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.631{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.749{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59568-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.749{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59568-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-C482-63BE-AD01-00000000A702}71605664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53D1614E8F381EAD42F26333DA1D228B,SHA256=D0A892DDC5734A807C5B74149A65D2E6A6AB75D0DF171170C55106FC84B0E044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:32.670{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B792DF7842C5292004167BFAB740228,SHA256=CFA3943D7A569CE11E4E57A900BF6848816765866149B502789F58D08BB7A311,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:32.211{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:32.211{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EED6FC835EA71FF232FD351C1639E71,SHA256=FFF8F52DAD88A7C11901F73099BBB0B613B4B70C5F8ED2CCE3F8DBD4C518C414,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:29.629{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49995-false10.0.1.12-8000- 23542300x800000000000000039953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:33.771{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1607E8C60C99AC02369F78FE9681DB,SHA256=1BD838F15CC76F6AE6A4560A1150F192ED3067F8E2126096D3390F8107EBDA57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.815{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59569-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.432{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.432{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D761EB03E85F3FC7625706019D27D319,SHA256=484D6DFEA2359DA84D2403E33D9F69BEAB26FD7452CC98D50BEDB13A1BF2D4FA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}54566300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:34.866{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8E075D284F2D6049896FAE1180C9D1,SHA256=42F411122F2A7B285185FA498C6A060E629516B89FDA19A01A333DCDB786758C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}70244728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.730{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 11241100x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 734700x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAB1A1ECA2716F4DB47CA9A93EEA79A,SHA256=BAD9385BE4022059D4C016FBF9AF21838B5AC935040F6BC4A0CF4B80DCC5121A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.700{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.416{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.416{7DAC9CB3-C486-63BE-B001-00000000A702}2124548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.400{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.400{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.198{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F7FEE70193C229818131D510D2B755,SHA256=F4FF5E1F97D4115EA385615C3B45DFDCDE330B96E6B0F580E99869C20A2DA64E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671139263315EF7D7CF040CC0780D766,SHA256=A4732D95B71235A999D6FFABB87CB8AF0E80FBC743707F7356A14E4BBB0E0074,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107433F02BDA0417D202E763EB209847,SHA256=B66ACB1CE8385341E55EDBB0DC4D033CF2159F05D3DD7D1FB63E9A04DD2FBE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:34.636{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49996-false10.0.1.12-8000- 23542300x800000000000000039955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:36.071{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20A2735FAE13CE852CA1A7F9C52E24,SHA256=D686F93452BD5DF80AAC383C91E872CAF356E1DDB06595B4CBFB928BC7FEE3F6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.747{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.747{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.747{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.495{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:37.179{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884052510B0A46D1A9659D6F49F78046,SHA256=2DE10A710EA4AD2053FEB1238B9E7853A2810BA51B697F29293FECE44DC66BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:37.117{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-024MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:38.379{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15C6A041FB8A57E37150D5800AFFF93,SHA256=2F71AB1FF9B0C375DC779045A5493F932F48A433373DFD7B2D183E1068353FF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.995{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59570-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:38.075{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:38.074{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D06910622614F6A449399E3CACFBDA,SHA256=319516CDC906CBAFD6024A8D50BE43E1CC2741C6C5F0143EA37F4DE255A2E13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:38.116{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:39.464{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4D911111F4F7A69262EBCD127C596D,SHA256=F8CE262330C0D61A090E8225D78327B877B6DF9E927F0F9ACA1FB066231F80E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:39.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:39.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBA04920BA63AB79382BC06FB41BAA8,SHA256=D22BDF7E8E3C51227138129A22D71316200F5872230BDD6D969C8CA99AB6E40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:40.548{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5220C6EDCFBF5A112536B8313927928,SHA256=F28123BF8C028AF153BFF3CA3E0232200E6ED9796686E670E13F1CA0FB704AD4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:40.625{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML 12241200x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.625{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000 11241100x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.625{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML.TMP2023-01-11 14:15:40.625 12241200x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 13241300x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Config SourceDWORD (0x00000001) 13241300x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML 12241200x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 11241100x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML.TMP2023-01-11 14:15:40.610 12241200x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.610{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.610{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.610{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.375{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.375{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13918227891AE5918A57CC76A2127829,SHA256=991B2A0CDAF3E6106647030C37517B6DA3972FE959305D9900CA7FAF47C99752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:41.632{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480E3E755C61FF682F73D0730FD30A5F,SHA256=A089FE3D3ADE67179FE3349DE146A9B373CCC13A749805FE5422FC37524D616E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.909{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.909{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6154A19ABCE2E855514D1AA545C691,SHA256=34E8E5D93157E26891371EDDDCDC7EC14C33BBE9932C797CD61A7385021CC25B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.877{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.871{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.868{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.861{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.857{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.852{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.421{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59571-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.421{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59571-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 10341000x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.455{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:41.451{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.451{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.451{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.332{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.306{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.302{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.299{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.296{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.237{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.198{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.163{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.148{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.136{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.119{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000039966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:39.791{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49997-false10.0.1.12-8000- 23542300x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:42.722{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001C1962BCB9A34170E0E3A0F0E29C23,SHA256=E01C42779A147BC0397474A9C75BF2960375F7D116A028DD31FBBA2B5F26AD83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.255{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59572-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.255{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59572-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.439{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:28d1:2354:dc4:ffff-51830-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.439{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local51830-trueff02:0:0:0:0:0:1:3-5355llmnr 11241100x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.523{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.523{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5675915DE894D7481CBA6072FCE1036,SHA256=9217B802CFEEB5603ACA329AB96ADFB6A03E1144B20E2F44BD3220135AC8F25D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.507{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.507{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E54AE107E3EFDA72F9D55C6FE96389,SHA256=C8DBDA04957462482E939A294397BFDFBFCB867A82E1FE5CCE12D170669F43E3,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:42.459{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.459{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.459{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:42.133{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26ABC7D74530DDE7C77E7ADA4CF42536,SHA256=C63EE50C078FB5E31F02FDA45625A8B7B4EF4B51A817393CD6F014E5988439E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.907{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.906{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.904{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.498{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.498{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A493C8182CE778998DA52419E7AC45BD,SHA256=781313A4777F007DEEDFD5D53A5D48E9D071F5018EB3024BD8F4BF2B5E055833,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.094{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59573-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.094{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59573-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.928{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59574-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.598{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.598{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC0E80599228B4AF9D78BB7C58C703,SHA256=5EF00B0DAB72501848A16AE94B8567805E5232A9CC81420DE6D187FA5AE651CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.524{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.522{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.520{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.502{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x800000000000000039996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.585{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.582{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.579{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.579{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.576{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.574{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.572{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.570{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.564{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.556{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.551{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.547{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.540{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.531{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.527{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.512{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.502{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.473{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.466{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.456{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.449{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.442{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.427{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.420{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.412{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.404{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.401{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000039967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.045{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06B323C107CB3870ED1FCEBEDD3C0FD,SHA256=8F44EF1C7AA4670A9C6AC0D2810B28D41434E1C2F8D2283E4E444DBD0C43E320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.487{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.452{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.431{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.429{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.426{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.423{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.421{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.417{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.884{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.884{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8749539B5684A9AE7E373699DD1B9F,SHA256=FBA20D11C7C58EE967A5CED59F620383B563D4420B774493A2D1545CB1D882C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:45.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC63D1C311685160DB3F08988883296E,SHA256=15F055362FBCF0550125EDE92BD87DC4372C5D9164039C463904224BD6726E79,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.023{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.023{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.023{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.008{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:46.440{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1878A50B2DD10B399D4C13078C702A7A,SHA256=98B13D045EFBC08968795454907E32A8D8246D98E73665B3C10A0F08459E0795,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:45.707{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49998-false10.0.1.12-8000- 23542300x800000000000000039999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:47.527{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2D338B9CB7426728B390D588D9D1A7,SHA256=185CF8B7C45D0584545466AB9762CE84553433ADC193528CA1BF0797C21604C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:47.027{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:47.027{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DC0DA4ED78113DC63AF1F6E80C9BC1,SHA256=6C7D7CE3E3C8E8FE6255E106D63336D9A368E9DAC114B67839709972D4949D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:48.609{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4245194FA42CDC546E6B2D71A80521A0,SHA256=7E7DDDB216388A550225377A84B1B5EE080A15BF8F8D9BB35B0267980FE3C93D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 13241300x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d925c7) 13241300x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x3433c05c) 13241300x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d925c7) 13241300x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x3420aef0) 12241200x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 12241200x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 12241200x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.851{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE84-63BE-0100-00000000A702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97e62|C:\Windows\system32\kerberos.DLL+79f68|C:\Windows\system32\kerberos.DLL+1451f|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-661.attackrange.local 12241200x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 11241100x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.131{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.131{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4992A682319AC66939F48E7E5C354A2B,SHA256=91BE68CE401BCF5CCE8137B9A24ACE62C82E9BF2944B0E98B7DBEF67A4209EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.663{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59577-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.663{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59577-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.563{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59576-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.563{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59576-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.554{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59575-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.554{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59575-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.881{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.881{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40B8EC27A939ED978D932C4FB5982EE4,SHA256=805C1B875289CB04DBED4659158B31932B7071B4A23004CE1AE56A430B1E82B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD878E379D95523A0DF8EB7353F577FB,SHA256=C0E9BC620D40C9DF72DA6E774D6A4912DA6EBAA55741DB9712637334E5A088E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:49.710{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C3F44F7C17954F4D52CB7BAAD8C5D0,SHA256=92CCB7A1B9115A72701C60EFE005B8C7AE9B8E5A0044058DFB831C0B5351D47D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.883{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.883{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FCC1D614AED1DE76602E57B5D9947,SHA256=B703BFA1F49EB64B6FC9B163A4B509A0050E543030DB219C77C29240DD61333C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:50.818{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68032C2BFB2D091C693F3F5EE6C125F0,SHA256=3D4ED901BC065D65D41237B2E29F71053B1434E033761E39A4F59DA32DEB6FA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.570{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.570{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3085BE375F2251E1D0F6E336E7E27EAE,SHA256=46B6EB48BBB7E2E5B3533A469C2305D5AD043990D967B054933A65E35C8A4912,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:51.970{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:51.970{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A9B0FF7D0E1A4E2B825C763304F40,SHA256=AEF2F899B55BD2556B1C19A656E2CB3C348686DCE7DC5B6BC4CEA611DC41B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:51.896{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095CD2F3EDAC346AC019381933D9F2A9,SHA256=5D8A72A6A579F104BBFDBAF5782C099791ED739E106FF0119F17D4026CC2CCD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:52.985{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D40BFBA0CE91C6C53E270267B50875E,SHA256=B7FE61287292FC5B31F7FEB708AF7467A72D286D7C027671E43216CE14725517,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.863{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59578-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:53.084{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:53.084{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FCC16495B4B5506B81BA5190514F50,SHA256=05C0B432F6FDA8AC4F3ECC1A9AD21D3E8FA4241DF706B532882700FDD5BA487A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.563{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-024MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.562{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0242023-01-11 14:15:54.561 11241100x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.560{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0252023-01-11 14:15:54.560 11241100x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.184{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.184{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1C6E7A4421BF9C8221B8484CEDDAE2,SHA256=0A99E51C501399AC052DD10122EF497BC35A375E86DD7DF015C9754F99500450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:54.086{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B240F67B0920A5615C547341BAEDC6B6,SHA256=1E73BD17E54164E231328351D5FB6242ECF1E79E42EADACBB39BFE0BBFF97918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:55.572{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:55.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:55.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6802FE1F46AE7D7CE5BB964AE2245587,SHA256=709505FE0EE8B0DE347FE9D178F1E9E9E4FC6A5E7F57F90702E873DF190E9064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:55.173{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE63295749D55F64A640274ABA795AC,SHA256=563E2DD9B1FB6516378CE44AD1719BAFBBBDC1213CC7FD47E5DA5FED8AF2F189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:51.682{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49999-false10.0.1.12-8000- 11241100x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:56.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:56.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE68BA600C80C8A7FFD55E398CBFB8F,SHA256=3B3530096EA6E9A27F800BA68392DD2F3FA575EC3B4577D35DD43BA69FA55963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:56.275{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553C75261300FFA0DF2A4613CD28F4CF,SHA256=7CAC043AE24104399049AE05CE31A93F9B588FE382F281BC88B0257269BE62D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:53.962{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59579-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:57.652{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:15:57.652 11241100x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:57.459{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:57.459{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07A021F6B0D94EBF73C9751827EC927,SHA256=46063D18DABB90CD072388206EBB552460129E49C24C3AFE5805C1CF834D7476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:57.976{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5EA84DB80D5E8C7580FB6577B34981CE,SHA256=BE4B103A23E4DA414DBB175A7354654A14B16867ACE229D625A2AFB870906897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:57.373{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001236614B03EA7B715689C61BDD2A5A,SHA256=CAA802E2A6CC178FCB9786FA6E9068FB2BA555EEA56BEC72F9C1393794204F33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:58.560{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:58.560{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD280FCBEBA5FB0AA033796D543ABB32,SHA256=3CABE657266B7C165A9A4F26428386A245090EDB095D89A9AF43D2BAC8E0E750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:58.461{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA30FC86FF5737DDE23EC2E3B22DD3F,SHA256=112E745C69A464B72D2129BB080B8D448748B02D243EE1560FE440420D55FE4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:59.669{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:59.669{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC309E353CC0071C38330A93E8190A68,SHA256=C0BA3ACDA8F316B06F4BC8DA13889E34CB8F9096FCBF23C454AD82EBBBAE6187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:59.566{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C0EC17700E591FEBFC999845C9DDE0,SHA256=B97CF93638473B366485D02CDD2AF12ABA43C310D5BECB3E8C55EBC6EA8B7C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:56.828{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50000-false10.0.1.12-8000- 11241100x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E904B0B792C8FDA2332735EE899FB34C,SHA256=82E414AA3C3122B5B625490A9206CDDE5AA487EBCBF544C0ECD8121DE41DB172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:00.657{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3C72A050DE38A5E3CC44D8E1DB394A,SHA256=6A5F1301823FD30FA14635ECEB124F646FF6240AA8971EEA66EDA74C0F36E4C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.665{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.665{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8132219C2815E9D79D45A628CE4DC237,SHA256=2853EB4F550D49BA1EB74BCEA785EA15216353809CE372185D7B0122A269D7F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.808{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.808{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB77290455CF38F788FA1E2D12774F5C,SHA256=2423597B54AED332D1B80D9683376706B3C40C3E9853A112A1FF9B38798BC2A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:01.748{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B0B095780112FEE3B150309CCDDFE6,SHA256=7E91B509B1EE614F2A92039CB32DDC6C67636FA86834713E3CFC53F774E78EDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.374{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.348{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.332{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.326{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.259{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.249{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.207{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=99536E90C47300013FFB11670B7CFA23,SHA256=ECED7F3D6159F4A71D4609DF1C71C19218AAAC3F4C22309C7B5AFE539E593F60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.192{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:59.050{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59580-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.891{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.891{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72E7D553C3AB231FE3E14B65C04C81B,SHA256=B7A51A570B7CAE671FC9D84FB355F655A7FA46422421835941D1DC91499BED02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:02.828{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77F4CA12F50C3CB0ECB313101A0039F,SHA256=D54CE71280769A456856B104CC9C8D7304714C910B7DAA8233956E7FB2760089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.139{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.121{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.119{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.116{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.116{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F9CDF7EF0799BB0FC3945C1D6E82F986,SHA256=F65E40F6097F401307EA85B0161FCA95604FA1AE84F508582540D0FEE7D168B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:03.988{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:03.988{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B96F00D135A8679A895228BCBA4006,SHA256=3098DAD7F6D3EE11CC67855FB444CFDE4DA31E6AEF85BA001F6EE1FF91DF17C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:03.919{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B85D20AB037C669F3E8E5D91BE020,SHA256=188D9486305E544EFD5DD0C85A506440BFDB1025BFE368865996F0BAD925FCC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.809{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.809{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.806{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.804{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.785{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.769{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.728{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.717{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.705{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.697{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.694{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.688{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.686{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.685{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.165{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.164{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000040048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.851{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.844{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.836{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.822{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.821{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.817{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.816{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.812{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.810{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.804{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.795{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.788{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.783{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.769{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.745{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.730{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.690{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.667{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.611{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.585{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.546{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.532{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.520{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.488{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.460{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 354300x800000000000000040023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:02.812{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50001-false10.0.1.12-8000- 10341000x800000000000000040022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.440{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000040021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.433{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000040020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.422{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000040019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.419{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 11241100x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:05.085{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:05.085{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DADBC13F4ED6FF5959470C8E933D12,SHA256=2491D1AC2BB47BE343AED706E36569EB384A050A244294ACC038EA27CF174814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:05.437{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE202A0EC74DA343104ED12C358A0CB4,SHA256=4F81C5562DC55D1F6D3BE4B8CDD68F7B3A08106A05A5B304F4F559F7CAFF1AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:06.505{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE822E5B2CCD3D0056A0252D2C94E61,SHA256=027A951DAB27E45D7054BFFE6A53DC75359A13F3D075CEEF907FE0E6EA594E4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:06.168{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:06.168{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6409E602C6BE89FEEE84EE3B692A5C,SHA256=710897A7FB6C95461C9829271826C5682C99E66D44FEE266ADFD87018E5E4703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.833{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.833{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.833{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.814{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.607{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDF33EB8EAAE8B8D8C74EEC73847B94,SHA256=689A2B1236761718A4C07C784A23F52535FE1F1770A566E2AE457FEF610AC98A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:07.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:07.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9EB6CEB9EBAA9A26C62842ECDED4C1,SHA256=63E0060F1D467F3D10B3E7F8492487BB88BABA693AF712A8602F4FFB5C65F2AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:05.005{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59581-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:08.372{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:08.372{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9A3672BC9FA0BBB18A2CE9B08272C9,SHA256=58A20C0CC6F9EBF274DEC4E26D6C9BDCB6E0C9B058AB81D0015DA82156B12EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:08.685{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837792722984D0053EE3BDD5507B9B95,SHA256=F1706AF761473492F2CB15CE8C413FE5B57DFC72CFBB20FA0807BB85601EB88C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:09.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:09.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D190A3330C037D5B6616394DCBF655A2,SHA256=98CB82E776467C202C71939449DE4F1268323B4B8BBBAE5CB83A5E0042A8808F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:09.773{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFB3CB4289E6435AB70ADAAB26AF3CF,SHA256=A7224577C0C5E48AFAB1C212A14973F8FA8C73AF6A7B1AD78D9950BBC58D59BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:09.367{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:10.762{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:10.762{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12125CAD36058B3B050ED427B8A65383,SHA256=A1D3B6609032EFA8FC9AF681300A2895101675F1ED692B79761214AA5BD8B46D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.989{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.861{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D9E9A964926DFEA76DE767FFB429DC,SHA256=BB03B9CCC2C9CA979711442FE7E8374E863FA52CEFD579F15E6C9300570EBA0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:08.806{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50002-false10.0.1.12-8000- 11241100x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:11.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:11.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811DD926CBB87944630E112AF771DC5,SHA256=ABDFD34EE1AAEB31712D78D0313AC41C68D589B1EEDF250EF0CE462CB1E1225A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.670{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:08.946{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50003-false10.0.1.12-8089- 10341000x800000000000000040081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.216{3EE3745C-C4AA-63BE-5101-00000000A802}40523736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.073{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D637DA14D82C1FDDFEAC2531D306EA8A,SHA256=745821A9471AA0DB17847F7D70B3E346E9BC68DF4807C9F5FC8377065613E430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 11241100x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:12.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:12.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163E9974918192B032E9DA3029503DD9,SHA256=023173DD6A4B7F37A360B0B856110DF5886C2EE255C94622C6E98108F70B5DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.453{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5D3FF1AB48D7A3B9EA3B69024C985717,SHA256=A2D79EE3A6BE6D41A28B33610E1D3CDE03D87DAE5BE46A78BEEF98F75DBD5DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.187{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED835FA64391C2719C984C022EEC78D7,SHA256=33286F6228897D6295DECAFD701F6E83733663C97279C505E81B9EF49122268C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.187{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C39C0AC5F7D39952132564DC76873088,SHA256=937158685448F87892CF0BB62A7EA273AAF8CC9FD5961332F1A7B3D05BB9881F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.179{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:10.961{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:13.485{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB90676C63B639B4B189278AA9A58360,SHA256=E1AA7286CDE96120F89F5112424599DF691A4F3F5CCADFECC35DBB041CC1CE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.863{3EE3745C-C4AE-63BE-5501-00000000A802}32442604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.662{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.582{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831B98F2EDB359EDCC5088A84C55B80D,SHA256=39E6407917E24C739F265E009F8BFEC0CC348E63DAE61D500C539E873ADA7215,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:14.123{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:14.123{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D88ABFBCC6ACAF269DBE5C93AEC81F0,SHA256=E1640785DBBAF14036FF8570308A22A7CE4A3BB09359ACC90AD1D15E23B246B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.270{3EE3745C-C4AE-63BE-5401-00000000A802}40281560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.206{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.206{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.206{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.034{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.859{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8106E13ACF4AA04E1829A9600C04725C,SHA256=E1CA7612CA5BDE22FD89151513A2EE59F1BC7A54FBF5012BE66D0284B680FC20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:15.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:15.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CB9AE81C3EF7BCF47BF6699F995609,SHA256=188C4ABB8B4EFC5FF5105630AA493BE3B82BA8CF4D6E1920AA32202C335B0DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.499{3EE3745C-C4AF-63BE-5601-00000000A802}26762628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.285{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98407DDB907CDADD5E38C1A0AFA83C3,SHA256=3983CB2CC505A3E176AED47DE491A481EAE10679E20459CD92300B00F5AB527C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.555{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.555{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.555{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 354300x800000000000000040179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.707{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50004-false10.0.1.12-8000- 10341000x800000000000000040178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.469{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.018{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.018{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:17.615{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:17.615{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638881A715022C3C35B47A7E3DF89940,SHA256=AE314D665F9739EBB11E70FED95AA9E2AC815B92C4ECAB5CC654E05594FEB744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:17.592{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5C9C95146C3FB998B129F279FB60D62,SHA256=5EF2C16DAE0DA0CD785274E87A32B21266FEF3B67E470D6AF03D9CDFE8C83F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.994{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E296F6F7C9B252DB45A5D5C45ABF8F42,SHA256=2E4B28B2E9CC217BEB5B8A82C708CB05B05C2FBBE7B12F872A82F55B93CA7375,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:15.811{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:18.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:18.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3B4E4B4D3DCC03E1BDF472D931F7BA,SHA256=022321150B0841DCDEEC503D56C10793E830D73BEC2E1EEDB223D6C6478F2749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:18.196{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628924527F49FBAE975C5FD5A535A215,SHA256=7392B5BD3442D4E90EDA2EDDBFA4E94EFCB80D3B17E4E6CB9C698F3215A3EA09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.985{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:19.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:19.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F4474BB44CDD7405648246DE15B3D6,SHA256=A7B45D9EE71E248AA9A4005C0B958B509A47FBD6C0CDB4F34E2EEE203D240157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:19.297{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295885FF964E71E90DF2A614E7E3AF77,SHA256=562C6041F20190DEB60540EF60FBFDE7520AC5E717D6237CC2784C3FFD087B80,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:20.998{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:20.998{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F967ED1B85C11274C20082CC202072,SHA256=7D87BA3B073034132919CDC1F9F1E902FFE349E28DBC2D81DED8069DAAC47F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:20.386{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D251BBC9152A7E3DA7A334493A8630A2,SHA256=8E83C0225C11A350F42FF1364E4FAEFE8B7721EB23691F33A7CF0021FDD466EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:19.856{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50005-false10.0.1.12-8000- 23542300x800000000000000040188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:21.473{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD835B1382216DB92340A0EE703E4C1D,SHA256=FD79B86C2383CB93A03C9D0E463B32C9FC2242A6CCBBC2267AAC8DAE86FE75D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.896{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.894{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.889{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.881{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.875{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.362{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.319{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.309{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.233{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.215{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.198{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.181{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.112{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.091{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:22.346{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:22.346{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C744050BB721E01A8954AFBAC3986250,SHA256=7FEE06B49E20986D79AA4C29498BF528D04A182D6434FB9F15F139913292B270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:22.573{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ED7875AD30725C9DCAA23013E61000,SHA256=4234DEC3DC9BBEEF2BBD35520F2846DC538F51121CCA37A8F9E242F100D8B24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:23.675{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB9F323EF3B1BD5544D9909EA8817C3,SHA256=487EEE76D82A06A3F7FBBC85E489CD735BCE93B7AD7183275A223EEE55FE2957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.933{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.931{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.446{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.446{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669367C3DD52EB3747CD25B37C53A0D3,SHA256=455A66A51E53AC4DDE31EF6F5E8CA6F5A11CCBA3C808954CCA80359B7B2D4CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.976{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A03B81357995FF5BA77565B71329F0,SHA256=B4603E424F3AB592AFC2BF083AF9359174ACA90494030EC94128444250598B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:22.849{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.553{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.551{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.549{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.548{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.544{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.544{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049727D1C7E511426A8A1144F6468FF2,SHA256=3271DE8BA69BFF0DDC773CC00CE53E8416210320D6680F80C57FDD59B277272D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.536{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.526{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.496{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.485{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.462{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.456{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.454{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.450{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.620{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.618{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.615{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.613{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.612{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.607{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.606{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.598{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.585{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.582{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.575{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.563{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.558{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.537{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.527{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.495{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.487{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.477{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.467{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.458{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.450{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.440{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.432{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.423{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.416{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.444{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.442{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.439{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:25.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:25.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126E83A185B50ED859FB128E9854615E,SHA256=777524CBBA7CE37915804968C465095D59E5B3C1A2FD85FA3EB4BABDDF59532D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:26.836{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:26.836{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6666480A76E78CA3DA2B924370048721,SHA256=58389E79330B2CBD39B1FAD36CEB63B2AEDFC7C1597356204E7D5BF18477D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:26.075{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171398AACDCB6A644DB0EE010213AD0C,SHA256=9D8F0A8B32CA07AB0B58C7A3920293C13378A10DD1CE4E30C8B7FAE22CDAF221,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66B8B407373975CACFBE948C65D5EEC,SHA256=A2917F2FAB6C4CA7E4CE157619EB062A6F206E50A9EB4D5A745FD7C00072F1F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:25.764{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50006-false10.0.1.12-8000- 23542300x800000000000000040223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:27.167{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9505E1F7D313399C5926A6B76E6A6BE9,SHA256=A04E9FDABC26BA7BA7C459AA680B4C1068DADEEC37360E04E25F5DCE1E90BC20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.656{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:16:27.656 23542300x800000000000000040225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:28.253{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02252041A038F13DFF32D2E069839999,SHA256=E9877520B8684264D3314661E321A48B0A6F88A149C5F646B587965D517A8249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:29.349{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDF75779C0704CF188CEE72A0B07C93,SHA256=DCFD989AC01699497DF9893D7D7FFDEDF044DB66254B5905DD72F415160711BA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:29.952{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:29.952{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.327{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.327{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.327{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporation