23542300x800000000000000038931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:47.484{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3797E52576EC4F0C02A6BCEBA2CA807F,SHA256=3E1D23D7FFCC044AFF82DAC5062C6D68E9F7EC3F703A0A4D063E199D547799D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:45.967{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59520-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:48.577{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E7D361DA202FBC7C6C0998F9FA512,SHA256=24BF423DC2743D6978E0DDDBBEC4643AB1C689046CA262305662854BFB2A9844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:48.433{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-020MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:48.004{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B2BC9D81B95B7C7BEE72B02ECCB9C1,SHA256=C675FDF4D0F8D2EBB5575CA9C27BBF61245F5D0E7A690565659BBDEC3DB21AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:46.686{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49950-false10.0.1.12-8000- 23542300x800000000000000038934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:49.658{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83975160A4599013CC990111985D4A37,SHA256=7E664ABA07381DAF719E1503E14BE3D74FA98D46C69DFEEF2EAF819B8C6B3B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:49.443{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:49.093{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEBE1756F9D459D37FFD8A345A72612,SHA256=238C197F1AF7DFDFF4F9F9B1483849187095A4104F43FFE20C50120721DB3821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:50.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BE94AB0A6FA61A3BE70836DC3857BC,SHA256=2D555A4C89D8260ADAB7354C9EEE0C1409E57D587FFC79B563FF8195D6C384ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:50.198{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AC1567B6B2F60B213949D937797D18,SHA256=F1920437AE8A4A91B436EED7B4C069829DAF41F0B951C0C7117EEE6E81F5134D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:51.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1900EA90A65C9B4283DB9D9017117A2A,SHA256=9DE3784FD38F0476B9F55D0074531259B1FB2CCC21B5AA603747F041F52A5B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:51.300{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5BDD715837D1F5E4C60A0432A2E81E,SHA256=6D961547A0DFE1AA14BE65715ED49C920A1EA0687D0E461BF7F9B477C21A37B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:52.951{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC0E2706A3AF4E1CB24E4CBB1EA2E12,SHA256=601537F8505E7DDA559C0CB1E220E8DA81B5C05433A3BEA1BC7310E471AEBA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:52.404{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D4F42109549A1EDC4CEFC4785CB44D,SHA256=142B2DD509E47959346E96F3582637999A6D3854B9E151EBCA9B6EC07F3513EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:53.713{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A06CF677DFAC51D5D4794BA1504A3D,SHA256=DAB1E993E412ACB5F608F3479F81AA21877CE019E472B90ABD0AFDC4871324C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:51.864{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59521-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:51.720{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49951-false10.0.1.12-8000- 23542300x8000000000000000101625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:54.695{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E357EF043EBABA1215C8075F3F3FB30,SHA256=516941F90CC2E17DF2935BFB674432BC08DCAD4C5CEA1D3796ADBB857F79D698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:54.056{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7B01FC54031BA122C84DD9E1B2799,SHA256=8259D0E403F9F1F7A0351C2E9BB83C42C330B2DE680DC006CD7642A174754575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:55.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11DBDE0A97F934894E6ED2E089FD3A8,SHA256=A781CBDA9205A6679DAD6A66D0454D3CB85EA96D2D0FD7F93235F94F98350DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:55.159{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C4D32BB4057A8F3F5FA0CC7FA84F3,SHA256=9899FA3F09864D73CDA03BB845451CDE51120FF715C7B57DA25CBA788FCD4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:56.887{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45FCF1F0E81FDE4D9720F90641408F4,SHA256=A1EC4EFD575B06E6C97D80D06B90F3AE6992D8425BB1BD50A5A504AAE599D95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:56.285{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34169F27C9701CA1D22854E6F5484AB,SHA256=E3A7DC9588218986D5690143DFED4EEFC191BEB44CEE6A66602AF5460A35DA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.933{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DA338E760D34EAE45FA14B6C24F3734C,SHA256=AED0E878CEDE535A9F9D31E4E6A0E4972711848DAF8FC71CC0D5A6237E98714F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.483{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58F78F22F14185908197317B74BE163,SHA256=356E021046C1695E6E5B48C2A512B47C5BE5FCAACF84F405B9E05F5DE22CBE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:58.575{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDEB71CC15860963FC62A1ED5374BF3,SHA256=86068DF81BC445239026A1AF25DDBABAEA18266C32AB98177DCC56093E66A9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:58.087{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B1A4AADAB43C04FD01BE4D5101E5E6,SHA256=3C1A9C58BCA5BC5D807B077EF27B7159B4D9D073CE250672106C82A0C525C3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:59.674{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60C8962E749834AAA439D67B677CDDA,SHA256=3C711B07027AFA2F2BA994FE7E93A64A036BA6A51F00ECDFA52A8F3EF63E2225,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:57.887{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59522-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:59.173{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD15A47DDAF7BB02DF5D1E4B76BABBB,SHA256=F0B288BB6D74827E2518AE895F7DDE89F01B0AC883650D3F361FC7AEC8D6CC95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.670{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49952-false10.0.1.12-8000- 23542300x800000000000000038947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:00.877{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B124FE3EBADCD8D76F71E8BEB350F9,SHA256=96BE7B7B6C4F7C5ACC73DE72EEBF60623212729347FCC6C622A941761629AEC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.670{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D073BF0A084F8912CBBEB04EA40902ED,SHA256=C0BF0CE0ED483A4E7B5C5C876301DE2DD2E5EBECBF39107D642A749528EA4DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.264{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51D52F583FBC62F34AB1A188D8D01F5,SHA256=A51DAE3362BD26C337C1241ED98A9437889FCD8F0612F25F49B4ECB50EC63488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.333{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794494A51666C2E3DE4DD499D3E08784,SHA256=F1D8FBDE0F23D5D4535A0DB94F3F195A0DBAD184BF202AA2AC5AF8F518F92D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.232{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.179{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.172{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.145{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.118{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.057{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.468{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427ACF41F16964F505966E4CEE4D2456,SHA256=9174267E4C6E63127B407076DE28C6BAE548BD8325AA961E063E67F673A256D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:02.085{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB499AAA7059E692AB136AED74EB47,SHA256=AA16F8A20C1FBE6161CDE4B995E6CC7B468450911C2ABF1FFBE3DED8CC2D51EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.107{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.098{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.068{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1E172C83060EBE99F9835A89A4A6DC94,SHA256=5F075E5DBBE8141A663D851B503AD0C85A22422CB6ED4E14BE42679345A75BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:03.663{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F193071E1BE3778FF926FAF35A85027,SHA256=2A7970F44D732AD225B3D6BC88B4C3BF5AA40CF23C3DC894E7C2A28C4510D941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:03.170{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7B47AB32D22A0CE5B5FF8835FAA50,SHA256=C633857688F607AB2AC5858CF58ECAF5AD0A530157E3B86FD37E93D32E71B05A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.774{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.773{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.767{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.756{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7558CF6EA9C80EBC66A937D084EF933,SHA256=44A2F808062B53DC38D0C6062B049C68796D1C1A5245AC251D31793D0A5B4CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.737{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.708{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.687{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.679{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.676{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.673{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.669{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.668{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.665{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x800000000000000038983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:02.825{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49953-false10.0.1.12-8000- 10341000x800000000000000038982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.655{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.648{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.643{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.636{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.628{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.622{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.620{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.612{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.607{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.603{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.597{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.593{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.589{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.581{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.573{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.571{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.553{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.538{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.496{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.488{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.481{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.463{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.450{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.441{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.423{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.413{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.409{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.406{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.404{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x800000000000000038953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.262{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05A86132F0BD03E7720FC318A8E0A38,SHA256=6F5F0099DA95D292B53E12B83668A4A2758983CFA529E2A0FD454DFDF2F91FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000038984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:05.802{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3DF9CB909C51E550A9DAB22D1FE4A7,SHA256=0FDA10F58515EA21A716E5BA6D3652A9BB76FAC383791EC92CC7C2D8A6B75A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:05.844{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB18094AF4105CD73CD4421D58A94FA,SHA256=4B5AB2C359BB8D0C8E614E4C839CE8DFBA6A01EAB755206C3189726EA4A00449,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:03.836{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59523-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:06.912{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B0C2EBDF6DFC2068280795CBF7C737,SHA256=328297D0998813CC630BD321571D430CCBCD554ABD3D14DCFDA85EBE7396227E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:06.827{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08874939B4F596338FE4C11A78DA4604,SHA256=4AF681B112DE71123AB9D648C0FC4E65C4395CA802E54998BDFB48380DA8F9B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.817{3EE3745C-BE84-63BE-0B00-00000000A802}6322392C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.801{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.823{3EE3745C-BE84-63BE-0D00-00000000A802}7883900C:\Windows\system32\svchost.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.241{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5C97055EFF43F17E799055B02A351E,SHA256=4E6A84AB45C9A7D9C523CDC46B95916054908C4B33E46C7B68E697C612187F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.028{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF1FE8100CC986AEB1BC6AAA942D647,SHA256=52A3987A836838E72D413C3F4602F424F20206B4AA43DAFF3590D78E88D9B553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:09.452{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9F14D9C79C20677535A9C6416CB0F,SHA256=D2E7A626006FCA3B85FFC31BF780ACE3627AE51914817C41228738A02F1EE3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:09.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5CE63A2A48A352A945A43095E88CDF,SHA256=04E19561769D099AE4DFDD64511644AC3D271A48AEBD04E77B8A8C4770FDE740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:09.248{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.840{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49955-false10.0.1.12-8089- 354300x800000000000000038995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.684{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49954-false10.0.1.12-8000- 23542300x800000000000000038994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:10.770{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BDDD516B278C9F1DD040D858B9E5CD,SHA256=D074ED6375C8694EE6424E14E4B9BBDF093538709F24F34BAEB3F996E0936216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.634{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61557- 354300x8000000000000000101699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.633{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61380- 23542300x8000000000000000101698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:10.244{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DD661D54EA15235341B0845FC3BEF4,SHA256=79CAF3610C31AC6CAFBEACD623F8CB3343EFF8BFFE15FF95531593D2EE161C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.982{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29B94C0C3EB397AD9484EEA2F7FE7BF5,SHA256=435CE66B097F701989A1C838368CE14F60B48AA64FA7C11287D3B6C1BC9EF329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.903{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D1488D055482B736305B947550F12B,SHA256=587B02E752C1CC0529865434CF3A2650772DF855AE4CD61F4A6E7AC270264889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.783{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75EC090BC985669A2A43ED93A5729398,SHA256=02817F49162C23FD0A5DC0E38972FD364512FD9F6601BA9D005D0474D57EB377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.929{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59524-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:11.343{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B61C4EF9FA431BEE96F5BE32B41FCBD,SHA256=6C13860E1082E5CC55ACE0B548FADBC4CC8FB46268D2297E3585E246696F2FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.705{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.236{3EE3745C-C3BB-63BE-3501-00000000A802}27203692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.033{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.976{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6390726FA1910866CA83D1BDE81F5062,SHA256=C5706241F8A9F99DBE656420F10F42F841F929E8245129BCCA36DB0304A017C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:12.456{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CBEDB0539BE1B58F7537F870E7C7E2,SHA256=8FDD7DE3A802A85EA9159937F250F1ED36DDECDAE0690578F22520B1ACE62431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.120{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868117D57C57C5D91AC3FE761D6B1C99,SHA256=74C19E6A66EAC7135DB2C20EF3BAB485AB73ECDC098DFCEA0900EA8887640D5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.983{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:13.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943E054A722D4A1627113E8144D378C5,SHA256=E37E9DE79FA013EE239FECEC250DEBE52B3EBF4E0134ECAB3D0BA6875AD16952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:14.652{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BAA122989ADD523D66E2AD10CB967E,SHA256=94029B6A9C07E8DE07D823BBB984CCA245879192005035AFE9C81DEF2B7497C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.837{3EE3745C-C3BE-63BE-3901-00000000A802}920936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.650{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.196{3EE3745C-C3BD-63BE-3801-00000000A802}10121852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.053{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478B4FC874E5797A4DFED1BB4075A850,SHA256=BA788D6E7338ABA781F0848131A278DA99720A56970E699142A6D7DB0933AC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.914{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.751{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3550191F7CC5D95634A03E1A864E89,SHA256=858211958289F5FFACD25E8076B7744D065E3A1EADACB5ED4388DC49A5B50517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.407{3EE3745C-C3BF-63BE-3A01-00000000A802}16361084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.219{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FDF165834C6DDB37BC2E4E4685D58B,SHA256=310BF9A9092DE2A752E232F92B5513CD7D5B186EC8526AC9C155DC5A60789FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.657{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D59B20771958418E1EB6E543C7F4001,SHA256=A1287ECCC122977FE712541F01D8E9C97A2E087BDE8CB11BC04A29FDA7B5E345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:16.858{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4218568EFE6478BB89AEBB6F144BC1CF,SHA256=905038BADDEA1E637A41F8B1E3A2436B3E9D465CD475D732203461CDAE9D4732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:13.986{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59525-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.819{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49956-false10.0.1.12-8000- 23542300x8000000000000000101711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:17.966{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3DE3AF1EDC30676F302A29D98E26CD,SHA256=7280D06A8EE7685EAF2B7BCF143010824B37A14EF8EE2D2D85ED9DC1884DE4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:17.754{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE322CD1670065861EB4B7B1F0C617F9,SHA256=FFFD0B819009ABC896BD0E02CF4E552F213591251D997FC8328B011E53C799F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:17.534{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E30C80F1D8CDE3550B2CE6E9CED639,SHA256=2243533E3B3BBE526C3225060F37FD5B0AE19F3B8A87F6A96AB4748E767B68E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.707{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59526-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:18.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A09DCE3900F34866FE1FD79DAF1FA75,SHA256=B80C8216D302CE67041A586B60D3AD342231142381DA0771083D02FEFACD4962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.939{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:19.827{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FADB6578D963FAC7C853AEFD0683E1,SHA256=95C76D56C196316E563010DE734273A52B766C170EDC8EBD3A3AA67D6837C460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:19.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3737CFC9EDF19D5A60D27EB0F727B89B,SHA256=F53385C77701556C6E7C3E1B957D53B94212EC573272B8927A5B499E291BD96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:20.255{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E2EA4E09CC14BADCCD0D32ACF87DBF,SHA256=BFF851D5C2A6CAF26D5E4BD179E9D13798B1EB308EF6DE830F4FBEF812A7F68C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.890{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.888{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.869{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.859{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.855{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D51C8D90B5558E2B88D15A094A2CE6,SHA256=73DEF97CBB5728E1388F789040EE85DE3C424126006A55980C3349D560BBF347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.301{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000039106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:18.840{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49957-false10.0.1.12-8000- 23542300x800000000000000039105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:21.038{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51DAE39A421C8A1866BC6E190A8D5F,SHA256=4B01EC380F6A38FD1935683067DDD3F9642BA645DAD2697EE3A32D60ABC55E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.275{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.267{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.216{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.199{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.181{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:22.357{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A4B45C2E20D404391943A6210F4D39,SHA256=29393406E024B596E893992DEAFC246B462660D0513090406F61D7EB82531B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:22.131{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF4DB12EA8E9B5B2B2DAA9EE30AFA3C,SHA256=92C0FA606E761EF5F63A9BE40919DE8311141C65CC230C0B4D3892CFB8B939EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:19.972{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59527-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.928{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.927{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.461{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F070E3F8D0AA1EF15D08D3FF93542EF,SHA256=BDE14B867DFCA1BFD7598092BC57268EEECFE2FF49E9FE85647B95D9E23165EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:23.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5166CE5AC6A20F15D6D1D70C1F39BE,SHA256=ABEB3ECA541E20D6F4C06ACB03D72291E937E8E5AB29F862DDC88D11A333C094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.618{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.607{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.586{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.573{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.547{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91B5ABAA233D9606D4F1438697C8FF,SHA256=A14A85F17F603B2B912D82BF29B31DC34538E38B22AEF4664B9707DE2904D543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.497{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.479{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.468{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.466{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.627{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.619{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.614{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.612{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.609{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.605{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.599{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.583{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.580{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.571{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.560{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.556{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.536{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.524{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.489{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.478{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.471{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.459{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.452{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.444{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 23542300x800000000000000039114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.436{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8003E7F789161488F77B94BB63203132,SHA256=309C42E48412A60350304DD3082954933911240A7C59162855C8B9190F3E9ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.434{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.420{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.402{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.395{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x8000000000000000101755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.458{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.451{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.442{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000039139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:25.826{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBBCEA8D7BC43D69EA450AF77C97145,SHA256=CF13CC3FE3D293536E613E736BB536AC3859ADDD9101676E809B0407B9F12E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:25.539{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0FF75ED26DBE3642E9A024F55A6DD4,SHA256=0720CC76E59114135CF0AFE118EF2B9F593225137F8F4EB242624E8A71B8B52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:26.977{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D723A869104D821F74EA1F1CCD36E8A,SHA256=D2324B903852FB154E2F2FDB760C2D4051840814B158770E7B4C48ECEE6F9A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:26.634{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A979CF42C280A1940A415835D4E4C2,SHA256=DB13750A759DE1371D48E517D4AA13F17618F8313F9DD729C157E4F45CF4CE9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.634{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49958-false10.0.1.12-8000- 23542300x8000000000000000101770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:27.747{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6023C764F4A3B14F332486FB824A53D8,SHA256=5DF1A70772693F59254BC0043A3777498E595ABED5A17858F8DADAC7081B46A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:25.911{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59528-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:28.839{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4715FF679E8080700207A04EDCEF63A9,SHA256=3219D0EF1FDC975C1667F1B8300FF9F752EBDDE50FFF2A5E2DCC21EBAA9FB1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:28.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A2B883E7E0DAA54306B3160A5E8245,SHA256=A4BC077896244BB02DF0E9C9DB623EC3C1BE7DBC1CD04C249B0A1F7D1CFB60BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.951{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4DBC3632D8E7FBB5016D6CDBE5948A,SHA256=7E46257478E0BA951162E8B8E99E76E5520377FDE6DD4E430FD44EB0B0FB5846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:29.150{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F047B1D956191BF7C19B6C9E83AF4F,SHA256=8485CB27281AAC2FBA84927E87E67E4539CCBB834C125B878163698096AA09B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.137{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:30.241{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E1558D92D17ECB34113924C2B261EB,SHA256=C9FE2EE77C461409ECDB005FBC8A8F3C088F5476650B3227119434455F4191C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.951{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DC268CEE8992F0019942FA02DD741A,SHA256=4917EFE5485C1B7AB92ACE613B145BA2AC0D4B6D393B73905195AA9B12B08A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.163{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CD8DA6943675BAA7A94884FEFC638E46,SHA256=B8380D7806E4C582EFCEF7F4223C86BF510963235085D47D3A500E1DE7EA36B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:29.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49959-false10.0.1.12-8000- 23542300x800000000000000039145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:31.440{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF0E2EBF9ECD99DDAB25E55534ADC61,SHA256=6ADE2DDBB8ECC1FA36B39369C0B8927CA0D0A5E2530EDAC52458625CA26964DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.622{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.727{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59529-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000101794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.727{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59529-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000101793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.126{7DAC9CB3-C3CE-63BE-9401-00000000A702}50525940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.044{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=13522048C8CA73E0D9CE3991D628615E,SHA256=3D735BA93D7809E31831FEA34D146F2C2786F3A63B059F74044E3FF964DCB303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.028{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A53E81FD3726CE67F1CE0A1366684E,SHA256=83B9204C7E86CE7D32D2602B2C168E791739CDED372669B981733164D48C70FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:32.533{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-021MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:32.513{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9C31F8FB66F077F0328A5CE913C241,SHA256=90B709DC06627720C5B3019360067B1B6D8C6B867B07EA8CD189F6B5533ADF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:32.125{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFB7033ADF9AB230350E822B4A2E45F,SHA256=FA242DA0B278E92861F6C327D7F4AD639112DF63D517BF360DCAC7B6A1AB9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:33.617{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF34A718F5824B442B46EEA1BA21CC68,SHA256=782CE415F7234ED7BB4243EB5F68A24BBE73BF4B09872396F0241C5ACB3541D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:33.539{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.428{7DAC9CB3-C3D1-63BE-9601-00000000A702}3926324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000101814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.917{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59530-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.202{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F60B2EB6DFB7CF679053A2E373A69BD,SHA256=75F8F41A654A342B8BD3A588166BC0F0DAFCB895F46A5819C1C37454798838FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.199{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.196{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.194{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:34.597{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F82E517692A4C82124317499779F03F,SHA256=A15473D3010D894CE6D06C2D7D9EDE57F2E036C7A21674A71A22E9122DE7BFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.943{7DAC9CB3-C3D2-63BE-9801-00000000A702}55924332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.705{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.407{7DAC9CB3-C3D2-63BE-9701-00000000A702}54845944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000101824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.299{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D0413EF19C4602409242A29A1CBF4,SHA256=0AD547E8D0C0C4EF9D1523890D54D745E15397BA6B1CFDBF420AD89C853DE28A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:35.794{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2257A62141FA96727BAE5B00384286B8,SHA256=08E2311352E3EC41E730E601C162355B9296BA109334D46D498A99F82951FD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:35.785{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7033E525B6BF367FA66ADFA851E0CF5,SHA256=F3710F00B64956DCD558AF4EE72FB01BD0F55759D0EFFED42616B2A9BC1D7344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:35.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E372CB42BCB6B459B5BEC2F3F441C68E,SHA256=803D946F47752C476C41994856CEF75EAE9A6E89898A84D52F437EDA3C9F3272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:36.901{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5CBC2E046AC4690ACE2A0534C18DC5,SHA256=64F41ADE6DB5575A88872B9012D56A3988A4A2BC0B2E74E01C3931C02844FF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.654{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1667CD8DFF439ECC49CDA55897E44E,SHA256=7D7E403577AB26DFC4EBFE427464B7D9C4C98F2664D55F3F2D849845A30CBC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:37.606{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5189EEC86EF6462980C07F99E8DDCB9A,SHA256=79233801E93A6AD1490B74B77895317BE3631ABFB17EF75EF041BE721DE16410,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:35.670{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49960-false10.0.1.12-8000- 10341000x8000000000000000101888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.712{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78BA575EFD93436B151B9E6BCE42AB4,SHA256=06CFE7BC1C5DC0AF8C38A9155CCDB6F02D0F9DA6717A6B6B838D64800FACAC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:38.207{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCBF9F2452E431AE037897EB9D9000C,SHA256=873518E5C3AFB8D17CEC4A57B6509C053E943FBB5D023BBDA350BE330A4276F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:39.394{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22088680EFCA16C339154157DB628A16,SHA256=A1D102541C4975829F3A9A3BC4209B28778A9CE4D44886A4375AEBB999FBFC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.999{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59531-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:40.489{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5236F90541186993260436CD7E3D392,SHA256=989A754ABD282EA8D705EA19A4CDB0B28078A181B53485887718BDA53A824D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:40.295{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5125E2E7A56D3812CEF9C16416E44580,SHA256=8731613C78C54CF6A1AEC7EBCAB1E1F0323C1782FC90274CE9673251F35AF81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:41.589{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4354010CE7682E97DA42BFBF74F02CB6,SHA256=970B9B35716B70972F7B3680C79B4A4D352C5B7A2D789F648E49698EAD7E5623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.956{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.955{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.948{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.945{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.933{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000101910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.472{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01598E6816AC5B11A6B9F2A9A41BA642,SHA256=6B16703137639E5605BE5D13047C3EC34D54483DF51CB3AFF03DAAD7335DB268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.304{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.290{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.218{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.213{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.193{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.175{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.145{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.131{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.120{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.110{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000101891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000039160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:42.693{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B55D50323617DBE5D84B5D82B33931,SHA256=9894B0780F8CF5010C67E97081BA7BC488F24D4E0BFB25C01D1CBD00F2844B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:42.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FB120B9F3819E8729155E89AFB4428,SHA256=DEE0EE253E376A645B41E0DDC06011922C21D20F0F6BC937AF825B32A5ECE7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:42.093{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=62F1104304AC813BF51B1413A33662E8,SHA256=F7FA5064EBCE52D9BEE33EC2DCA7E0DF655E49B1D25F1AACBD8D362151FB8FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:41.651{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49961-false10.0.1.12-8000- 23542300x800000000000000039161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:43.890{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DE10C91EB79260E63709F292910174,SHA256=FDBD0BED08D40E372CFF35AD057FA723E69E51C4D7F98BDBE1941752989F3F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.998{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000101919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.643{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925F48CA71E3388597043F3C9526773D,SHA256=DDD1D201AA64F4D7B12BB1D1D74BE2CCE5931517017D6B29A1437EA67EBF3A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.993{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.728{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886EC6D86A18C1ACCAC8755116B6686C,SHA256=842C68FDCC545EF36D60A32B83019E7A464D489D2AA175DF24A88902FE59DCA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:42.848{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59532-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.681{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.677{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.674{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.672{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.670{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.667{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.665{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.662{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.660{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.654{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.646{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.638{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.626{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.611{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.575{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.524{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.514{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.498{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.483{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.468{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.461{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.447{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.419{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.410{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.406{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000101937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.618{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.614{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.598{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.584{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.549{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.531{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.519{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.516{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.511{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.999{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000039192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:45.286{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E80B522A85A39060CF711061E9EB834,SHA256=07F4096264B208FF9FBB7FC6259EDA31DC4327BB35B043F4FC311FA970F5D0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:45.707{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915F3E9DBD8ECBCC17A28E154BBDF088,SHA256=63394C324ABF2DEBB3EC8E06AF117334F9782B252A93AF93C62A1264BAC3AEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:46.814{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DA5458C3C05AF83B28ACC6EB2505C8,SHA256=A1E5291228796984E74C89BC81655C6927BA1FB07049DEE19AF5FE90B804C5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:46.369{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EB7E2600CBB6F3FC18BD5C5F338710,SHA256=0FA7A2832E598DCD7A090A1E3AE2D599F94E642856730259AC538D183F1B2E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:47.467{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85EA3106B9F6AF7E169E6201B3F161,SHA256=AB95751C8869EC7C287A232466D4EDF87DB8106D7B988D5A9C2AE9620F96B6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:47.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E2908A308E17E85B64BF62652DC34E,SHA256=4744469164103DA75540D6E627B20BCE8AD3A494B6D0254F19AE51FAAE3D7052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:48.673{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB367121EF2BB1585D47C3C7526406FB,SHA256=9F68840AA5A00CD5C58B760FD8477C014FAF8F5A69F78205FFE82EE77377D99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:48.997{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC596155B9F516289D13AA87826830CE,SHA256=9333BE06AF23DB9E7982DFD5632BF4CC3F6D6BB7FABD943CFA6845659A57E767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:49.757{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B442D91824015BA210EB676EAA039E,SHA256=4C9AB01F90548156774746C201452F968F4578647194321C2982A42BED55A9D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:46.805{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49962-false10.0.1.12-8000- 23542300x8000000000000000101945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:49.974{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-021MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:50.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2037854931FC5092FE7D891B903C94,SHA256=41EBA4FB233F7B782D49FE5D5E2FE70135C2082EC27ECA89375646764CD58DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:50.979{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:48.855{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59533-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:50.074{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76D52E609ACED02DD66B5479A99FAF,SHA256=9CCC02791C823C5F2EABC99BA8464F208A9707BE22599E83E144C76E42C6D103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:51.960{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C80A1B24A8F3DF76EDB966C18EC7D3,SHA256=0DDE2424EA70BC96AC40EFD42C9E80D1E8C61DEE25886EEF038AB8FB06198EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:51.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1822D2A6B3D6C5CE84BFA86297F255D,SHA256=95C31A7C8353C1F24AD1AED3B2A33DD0B4775534E51523ACC2D4A4C13F76D65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:52.380{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C88DCE6054774B2EA79F31E72A23123,SHA256=67E6E0CC3AAC7EA041D2201A16E936121DA493182C2045F646C6EA3C6526B6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:53.464{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C38170BE6BD35E6D12F64370731AC3,SHA256=DC6C242E11389FAA54561B2E4A1A83456968AE39E877A201A92036028350B3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:53.063{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5148A33F6108EB089E4E1F08965291C,SHA256=F76E20516470C1BEB671A1415BF34FFD6E9E6C15C0536BCEAEF6CFEC47D8581E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:54.668{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3EAEEF4D3861B776DDA9BAA0A1B9DB,SHA256=12931B242959E2F965536538923A2CC28928930479FE653E310DA634EC60BD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:54.261{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEB5AECC2A9C467FD0F377AA5FF563D,SHA256=F6D77F5301C4E68384C88F195BFA287172D81BAE47856958179A7D5BD96E53B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:53.981{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59534-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:55.778{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526DBE7C22F132FF80A2E27E1F4C73F,SHA256=4B53781444AD72267814B322A332BCC5A15FABACEC66AEF61A0D77724DF26884,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:52.667{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49963-false10.0.1.12-8000- 23542300x800000000000000039202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:55.470{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007957B401D2AC4CF0C486566FE4B2EA,SHA256=6FD984095483694328DEAF07CC3500764EBC0DB9557D89B904E883F9AE9C494D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:56.781{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C30DBC2F729B70200B74248F6081DE9,SHA256=D2B84001E398315B034A174D6A21712EB8FFA446BD97C9CF2FEF682F780AC82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:56.873{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933415D58DC952554D9FA2E16F4310C3,SHA256=F51CEAD83C7E1D8B692376E45690526696B05713AD0D0FBCACFA6D462122679F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:57.990{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A01D6BFAD4627FCFBDBAB4737615D6,SHA256=5AF57E3617E3B427C8F4DE2277E58C723856A987424529292AF69443173F7602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:57.940{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EBFAB28FE922F24CF7F42DCEFA6B39D7,SHA256=0BED1B3F2E9D537B90C0DF7AE57DE5342949CB292FF2CF829A6D4582558D4D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:57.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3DD02BA9013BF7A0176434FAE2A09F,SHA256=5B49A0EC2A6290425BDB098E741396DC692C6FB14E2C01697357DA9395DDC7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:59.060{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDBE1CD86A402A2BE810A8F4FDBC18C,SHA256=EC99FB86AD53F84B3603D0C6C9274831F439267FFD16F27046738667D0C2A020,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000039216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001523cd) 13241300x800000000000000039215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0x6cb89372) 13241300x800000000000000039214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c6-0xce7cfb72) 13241300x800000000000000039213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x30416372) 13241300x800000000000000039212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000039211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001523cd) 13241300x800000000000000039210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0x6cb89372) 13241300x800000000000000039209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c6-0xce7cfb72) 13241300x800000000000000039208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x30416372) 23542300x800000000000000039207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:59.077{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109D48664FA8287870279A9B90A28F11,SHA256=CEA4B6AD741C6CC6896594D9E9263884111295B534F36F6577CEBE037112B04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:00.377{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A4B664C731F9BAFEEF1F56765E1AD6,SHA256=CCEEB3D3342B8956D8489CD167D0DF92A7FE19C7E25AD8FA18B55753CA540A96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:58.612{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49964-false10.0.1.12-8000- 23542300x800000000000000039218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:00.280{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17F605ACBA6DDAB7B50B0C278144D42,SHA256=CCAD4B610E8D5539D7A42EA77F2D43FF04BA4EB6B14E545D3207C2926E8173AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.813{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.811{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.790{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.786{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.782{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8274BF55FB897516B3AE521E0FEC6171,SHA256=1A144AB2E99287B15BEA069FDC21C2DFE53CDBC0013E381111B226F76172DC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:01.391{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B210B9EF056E45313FDE813A2B79ED95,SHA256=76CD343D700246CA928951D600392D56BF4418BDC3983D6A5A69D3123FDE6DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.303{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5130E7B6A4DF4411E9C5FD0A6B569F90,SHA256=15447CAF8285BB427A88C8F0D8ED1DB2342EE7A3851C133E7021A4B05724BC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.240{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.179{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.166{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932